grisuno
diff --git a/‎CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 311 additions & 757 deletions b/‎CLAUDE.md‎
Lines changed: 311 additions & 757 deletions
diff --git a/‎COMPARISON.md‎
Lines changed: 142 additions & 0 deletions b/‎COMPARISON.md‎
Lines changed: 142 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 0 deletions b/‎README.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎docs/ATTACK_MATRIX.md‎
Lines changed: 205 additions & 0 deletions b/‎docs/ATTACK_MATRIX.md‎
Lines changed: 205 additions & 0 deletions
@@ -2,6 +2,13 @@
 # Changelog
 
 
+### Nuevas características
+
+### Otros
+
+  *   * feat(feat): new exploit \n\n Version: release/0.2.129 \n\n with love \n\n   LazyOwn on HackTheBox: https://app.hackthebox.com/teams/overview/6429 \n\n  LazyOwn/   https://grisuno.github.io/LazyOwn/ \n\n \n\n Fecha: dom 17 may 2026 23:59:39 -04 \n\n Hora: 1779076779
+
+
 ### Nuevas características
 
 ### Otros
 
@@ -0,0 +1,142 @@
+# LazyOwn vs Other Open-Source Red Team Frameworks
+
+Honest, side-by-side comparison. Updated 2026-05-17.
+
+If you find a row that is inaccurate, open an issue. We will fix it. We would
+rather lose a tick than mislead an operator.
+
+---
+
+## At a glance
+
+| Capability | LazyOwn | Sliver | Havoc | Mythic | Empire 5.x | Caldera | Metasploit |
+|---|:-:|:-:|:-:|:-:|:-:|:-:|:-:|
+| Active OSS development | yes | yes | yes | yes | yes | yes | yes |
+| License | GPLv3 | GPLv3 | GPLv3 | BSD-3 | BSD-3 | Apache-2 | BSD-3 |
+| Single-binary install path | yes | yes | partial | container only | yes | partial | yes |
+| Operator CLI (interactive) | yes (cmd2) | yes | partial | partial | yes | no (web) | yes |
+| Operator web UI | yes (Flask) | no | yes (Qt) | yes (React) | yes (Starkiller) | yes | no |
+| Multi-operator collaboration | yes (SSE + locks) | yes (multiplayer) | yes | yes | partial | yes | no (msfrpcd) |
+| Windows beacon (in-memory) | yes (Go + C) | yes | yes (Demon) | yes (many) | yes | yes (sandcat) | yes |
+| Linux beacon | yes (Go + C) | yes | partial | yes | yes (Starkiller) | yes (sandcat) | yes |
+| macOS beacon | yes (Go) | yes | no | yes | partial | yes | yes |
+| **Linux BOF support** | **yes (ELF dlopen)** | **no** | **no** | **no** | **no** | **no** | **no** |
+| Windows BOF support | partial (via beacon.yaml addon) | yes (COFF loader) | yes | yes (apollo, athena) | partial | no | no |
+| Malleable C2 HTTP profile | yes | yes | yes | yes (via containers) | partial | partial | yes (advanced) |
+| DNS C2 | yes (built-in resolver) | yes | partial | yes | yes | no | yes |
+| TLS / mTLS | yes (self-signed + mTLS-ready) | yes | yes | yes | yes | partial | yes |
+| Built-in phishing engine | yes (templates + SMTP + tracker) | no | no | no | partial | no | no (msfvenom only) |
+| Recon / scanning suite bundled | yes (nmap, gobuster, ffuf, enum4linux, responder, etc.) | no | no | no | partial | no | partial |
+| MITRE ATT&CK adversary emulation | yes (`playbooks/apt_*.yaml`) | no | no | partial | no | **yes (primary use case)** | partial |
+| Automated kill-chain loop | yes (`autonomous_daemon`) | no | no | no | no | yes (operations) | no |
+| LLM-assisted operator (built-in) | **yes** (Groq, Ollama, Claude via MCP) | no | no | no | no | no | no |
+| Multi-agent AI (hive-mind / MoE) | **yes** (SWAN + hive_mind) | no | no | no | no | no | no |
+| MCP server for Claude / agents | **yes (95+ tools)** | no | no | no | no | no | no |
+| Knowledge graph navigation | yes (`graphify-out/`) | no | no | no | no | no | no |
+| Knowledge bases (GTFOBins, LOLBas, ATT&CK) | yes (parquet) | no | no | no | no | partial | yes (modules db) |
+| Plugin system | yes (YAML addons + Lua + .tool) | yes (armory + extensions) | yes (modules) | yes (containers) | yes (modules) | yes (plugins) | yes (modules) |
+| Reporting (auto-generated) | yes (Markdown + DOCX + executive JSON) | no | no | no | no | yes | partial |
+| Decoy / deception landing site | yes (canary, webcam capture) | no | no | no | no | no | no |
+| Container image (official) | yes (`lazyown-docker/`) | yes | yes | yes (compose) | yes | yes | yes |
+| Active campaign state on disk | yes (`sessions/`) | yes | yes | yes | yes | yes | yes (db) |
+| Free for commercial use | yes (GPLv3) | yes | yes | yes | yes | yes | yes (community) |
+
+Legend: yes = first-class, partial = present but limited or experimental, no = not implemented.
+
+---
+
+## Where LazyOwn wins today
+
+**Linux BOF.** As of 2026-05-17 LazyOwn is the only open-source C2 framework
+shipping a Beacon Object File runtime for Linux targets. BOFs are compiled
+as position-independent ELF shared objects and loaded via `dlopen` into the
+running beacon. The `datap` API is source-compatible with the Windows BOF
+contract, so porting an existing BOF means swapping Win32 calls for Linux
+syscalls or libc equivalents. See `docs/PORTING_BOFS_TO_LINUX.md`.
+
+**Adversary emulation.** Seven YAML profiles ship under `playbooks/`: APT28,
+APT29, APT41, Conti, FIN7, Lazarus, and LockBit. Each maps to MITRE group
+IDs and references published CTI. Replay one with `playbook_run apt_apt28`.
+
+**AI-native operations.** Every other framework treats LLMs as an add-on. In
+LazyOwn the model orchestrates the engagement: `autonomous_daemon` drives a
+reward-shaped kill chain, `swan_ensemble` routes tasks through a mixture of
+experts, and `hive_spawn` runs role-specialised drones in parallel. The MCP
+server exposes 95+ tools to Claude Code so the operator can drive the whole
+framework from a conversational interface.
+
+**Breadth in a single repo.** Recon, exploitation, lateral movement,
+credential access, persistence, C2, phishing, and reporting all ship in one
+install. No glue between four projects, no separate framework for each
+phase.
+
+**Reproducible campaign state.** Everything lands in `sessions/`. Restart
+the shell, restore the directory on another box, and the campaign keeps
+going. Reporting reads the same artefacts the operator does.
+
+---
+
+## Where the alternatives win today
+
+**Sliver.** More mature implant ecosystem on Windows. COFF loader for
+Windows BOFs is battle-tested. Better support for cross-compilation of
+implants out of the box. If your engagement is Windows-only and you do not
+need AI orchestration, Sliver is a strong default.
+
+**Havoc.** Best-in-class operator desktop UI. The Demon agent has excellent
+Windows tradecraft. If your team values a polished native GUI over a web
+dashboard plus CLI, Havoc is the better visual experience.
+
+**Mythic.** Containerised payload architecture lets you mix language-agnostic
+agents (Apollo, Athena, Poseidon, Medusa). If you need to swap implants per
+target environment, Mythic's model is more flexible than LazyOwn's
+single-beacon-family approach.
+
+**Caldera.** MITRE-funded, designed around adversary emulation as the
+primary use case. If your engagement is purple-team or detection
+validation rather than penetration testing, Caldera's operation/adversary
+abstractions map more directly to that workflow.
+
+**Metasploit.** Largest exploit module library and the deepest history of
+hardening. If you need exploits for a specific CVE today, Metasploit is
+still the fastest path.
+
+**Empire 5.x.** Most polished PowerShell tradecraft for legacy Windows
+estates. If your scope is heavily AD-focused on Windows-only targets,
+Empire's modules remain very strong.
+
+---
+
+## When NOT to pick LazyOwn
+
+- **You need a stable Cobalt-Strike-shaped Windows engagement and nothing
+  else.** Sliver or Havoc will feel more familiar.
+- **You require FedRAMP/government certification.** None of the OSS C2s
+  qualify; you need a commercial product.
+- **You operate without internet access and cannot use a hosted LLM.** The
+  AI features degrade gracefully (Ollama is supported locally), but the full
+  experience assumes Groq or another API. Without any LLM, the differentiator
+  shrinks to recon breadth and Linux BOF.
+- **You want a desktop GUI as the primary interface.** LazyOwn ships
+  `lazygui/` and a Textual TUI, but Havoc's Qt UI is more polished today.
+
+---
+
+## Roadmap to close known gaps
+
+Tracked in GitHub issues, summarised here:
+
+- Windows COFF loader parity with Sliver inside the Go beacon.
+- ARM/IoT beacon (`blackzincbeacon`) for embedded targets.
+- Operator handbook with screenshots and a guided demo engagement.
+- Reproducible end-to-end demo video pinned to the README.
+- Signed releases (cosign) and SBOM publication.
+- Plugin marketplace index at addons.lazyown.io.
+
+---
+
+## How we keep this honest
+
+Every claim in the table above is testable from the repo. If you can show
+an addon, route, or `do_*` command that contradicts a "no", we owe you a
+patch. Pull requests against this file are welcome.
@@ -13024,6 +13024,13 @@ No description available.
 # Changelog
 
 
+### Nuevas características
+
+### Otros
+
+  *   * feat(feat): new orquestator \n\n Version: release/0.2.128 \n\n with love \n\n   LazyOwn on HackTheBox: https://app.hackthebox.com/teams/overview/6429 \n\n  LazyOwn/   https://grisuno.github.io/LazyOwn/ \n\n \n\n Fecha: dom 17 may 2026 00:56:05 -04 \n\n Hora: 1778993765
+
+
 ### Nuevas características
 
 ### Otros
 
@@ -0,0 +1,205 @@
+# MITRE ATT&CK Coverage Matrix
+
+Mapping of LazyOwn capabilities to MITRE ATT&CK Enterprise tactics and
+techniques. Updated 2026-05-17. The intent is honesty, not credit: a row
+without strong evidence is marked `partial` or `none`, never `yes`.
+
+Verify a claim by running the listed command, addon, or skill and observing
+that the artefact lands in `sessions/`. If a row is wrong, open an issue
+with the failing reproducer.
+
+Categories below mirror the kill-chain layout used by the CLI
+(`utils.py:recon_category` and friends). Each LazyOwn category maps onto
+one or more ATT&CK tactics.
+
+---
+
+## TA0043 — Reconnaissance
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Active Scanning: Scanning IP Blocks | T1595.001 | `do_lazynmap`, `do_amass`, `do_arpscan` | yes |
+| Active Scanning: Vulnerability Scanning | T1595.002 | `do_nikto`, `do_wpscan`, `modules/integrations/nuclei_bridge.py` | yes |
+| Gather Victim Host Information | T1592 | `do_enum4linux`, `do_enum4linux_ng` | yes |
+| Search Open Websites/Domains | T1593 | `do_amass`, OSINT skills | partial |
+| Search Open Technical Databases | T1596 | `find_ss`, `find_ea`, `nvddb`, `packetstormsecurity` | yes |
+| Phishing for Information | T1598 | phishing blueprint + SMTP tracker | yes |
+
+## TA0042 — Resource Development
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Acquire Infrastructure: Domains | T1583.001 | manual; documented in QUICKSTART | none |
+| Develop Capabilities: Malware | T1587.001 | Go beacon, BlackSandBeacon, Windows beacon addon | yes |
+| Develop Capabilities: Code Signing Certificates | T1587.002 | `gen_cert.sh`, `generate_certificates()` | partial |
+| Obtain Capabilities: Exploits | T1588.005 | `searchsploit`, ExploitAlert scrapers | yes |
+| Stage Capabilities: Upload Malware | T1608.001 | C2 staging routes, `sessions/<artefact>` | yes |
+| Stage Capabilities: Drive-by Target | T1608.004 | decoy site + landing pages | yes |
+
+## TA0001 — Initial Access
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Phishing: Spearphishing Link | T1566.002 | phishing blueprint + tracker | yes |
+| Phishing: Spearphishing Attachment | T1566.001 | phishing blueprint with attachment templates | yes |
+| Drive-by Compromise | T1189 | landing pages + decoy capture | partial |
+| Exploit Public-Facing Application | T1190 | `do_sqlmap`, `do_nikto`, `do_wpscan` | yes |
+| Valid Accounts | T1078 | `start_user` / `start_pass` payload keys, `do_hydra` | yes |
+| External Remote Services | T1133 | RDP/SSH probing via nmap and `do_responder` | partial |
+
+## TA0002 — Execution
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Command and Scripting Interpreter: Bash | T1059.004 | beacon + `do_run` | yes |
+| Command and Scripting Interpreter: PowerShell | T1059.001 | `do_empire`, Windows beacon | yes |
+| Command and Scripting Interpreter: Python | T1059.006 | impacket suite | yes |
+| Native API | T1106 | Windows beacon NT API, BlackSandBeacon direct syscalls | yes |
+| Inter-Process Communication | T1559 | BOF runtime + Unix sockets | partial |
+| User Execution: Malicious File | T1204.002 | phishing payload templates | yes |
+
+## TA0003 — Persistence
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Account Manipulation | T1098 | post-exploitation utilities | partial |
+| Boot or Logon Autostart Execution | T1547 | `modules/rootkit/`, addons | partial |
+| Scheduled Task/Job | T1053 | `do_cron` | yes |
+| Server Software Component: Web Shell | T1505.003 | reverse-shell generators | yes |
+| Create or Modify System Process | T1543 | `modules/rootkit/` Linux LKM | yes |
+
+## TA0004 — Privilege Escalation
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Abuse Elevation Control Mechanism: Sudo | T1548.003 | GTFOBins parquet KB | yes |
+| Exploitation for Privilege Escalation | T1068 | `searchsploit` integration, reactive_engine | yes |
+| Process Injection | T1055 | Windows beacon Early Bird APC | yes |
+| Setuid and Setgid | T1548.001 | GTFOBins parquet KB | yes |
+
+## TA0005 — Defense Evasion
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Obfuscated Files or Information | T1027 | Go beacon Garble obfuscation, XOR stub | yes |
+| Indicator Removal: File Deletion | T1070.004 | manual (no first-class surface) | none |
+| Masquerading | T1036 | decoy site, malleable C2 user-agents | yes |
+| Reflective Code Loading | T1620 | Windows BOF + Linux BOF dlopen | yes |
+| Direct Volume Access / Direct Syscalls | T1006 | BlackSandBeacon direct syscalls | yes |
+| Use Alternate Authentication Material | T1550 | Kerberos relay tooling | partial |
+
+## TA0006 — Credential Access
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| OS Credential Dumping: LSASS Memory | T1003.001 | `do_mimikatzpy` | yes |
+| OS Credential Dumping: NTDS | T1003.003 | impacket secretsdump | yes |
+| OS Credential Dumping: /etc/shadow | T1003.008 | post-exploitation utilities | yes |
+| Brute Force: Password Cracking | T1110.002 | `do_john2hash`, `do_hashcat` | yes |
+| Brute Force: Credential Stuffing | T1110.004 | `do_hydra` | yes |
+| Credentials from Password Stores | T1555 | `do_john2keepas`, browser addons | partial |
+| Steal or Forge Kerberos Tickets | T1558 | impacket suite | yes |
+| Adversary-in-the-Middle: LLMNR Poisoning | T1557.001 | `do_responder` | yes |
+
+## TA0007 — Discovery
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Account Discovery | T1087 | `do_enum4linux`, AD enumeration | yes |
+| Domain Trust Discovery | T1482 | `do_bloodhound` | yes |
+| Network Share Discovery | T1135 | impacket smbclient | yes |
+| Network Service Discovery | T1046 | `do_lazynmap` | yes |
+| Permission Groups Discovery | T1069 | BloodHound | yes |
+| Process Discovery | T1057 | post-exploitation utilities | yes |
+| Remote System Discovery | T1018 | network_discovery, `do_lazynmap` | yes |
+| System Information Discovery | T1082 | `auto_populate` | yes |
+
+## TA0008 — Lateral Movement
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Remote Services: SMB/Windows Admin Shares | T1021.002 | `do_psexec`, `do_psexec_py` | yes |
+| Remote Services: WinRM | T1021.006 | `do_evilwinrm` | yes |
+| Remote Services: SSH | T1021.004 | beacon SSH module | yes |
+| Use Alternate Authentication Material: Pass the Hash | T1550.002 | impacket suite | yes |
+| Lateral Tool Transfer | T1570 | `do_chisel`, `do_socat`, `do_ligolo` | yes |
+
+## TA0009 — Collection
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Audio Capture | T1123 | decoy site capture | partial |
+| Video Capture | T1125 | decoy site capture | partial |
+| Data from Local System | T1005 | beacon download command | yes |
+| Data from Network Shared Drive | T1039 | impacket suite | yes |
+| Screen Capture | T1113 | `do_eyewitness`, `do_gowitness` (operator-side, web only) | partial |
+
+## TA0011 — Command and Control
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Application Layer Protocol: Web Protocols | T1071.001 | Flask C2 + malleable profile | yes |
+| Application Layer Protocol: DNS | T1071.004 | built-in `dnslib` resolver | yes |
+| Data Encoding: Standard Encoding | T1132.001 | beacon JSON + base64 | yes |
+| Data Obfuscation | T1001 | XOR stub, AES-256 channel | yes |
+| Dynamic Resolution: Domain Generation Algorithms | T1568.002 | manual | none |
+| Encrypted Channel: Symmetric Cryptography | T1573.001 | AES-256 beacon channel | yes |
+| Encrypted Channel: Asymmetric Cryptography | T1573.002 | TLS via `gen_cert.sh` | yes |
+| Fallback Channels | T1008 | short-URL beacon routes | yes |
+| Ingress Tool Transfer | T1105 | C2 staging endpoints | yes |
+| Proxy: Internal Proxy | T1090.001 | `do_chisel`, `do_ligolo`, `do_socat` | yes |
+| Proxy: Multi-hop Proxy | T1090.003 | chained chisel + ligolo | partial |
+| Web Service | T1102 | decoy site fallthrough | partial |
+
+## TA0010 — Exfiltration
+
+| Technique | ATT&CK ID | LazyOwn surface | Status |
+|---|---|---|---|
+| Exfiltration Over C2 Channel | T1041 | beacon upload command | yes |
+| Exfiltration Over Alternative Protocol: DNS | T1048.003 | DNS resolver | partial |
+| Exfiltration Over Web Service: Cloud Storage | T1567.002 | manual | none |
+| Scheduled Transfer | T1029 | scheduling addons | partial |
+
+## TA0040 — Impact
+
+LazyOwn does not implement destructive impact techniques (T1485 data
+destruction, T1486 ransomware, T1490 inhibit system recovery, T1499
+endpoint DoS, T1496 resource hijacking). These belong to malicious actors
+and are out of scope for an authorised red-team framework. Requests to add
+them will be rejected.
+
+---
+
+## Adversary emulation profiles
+
+`playbooks/` ships seven named-actor YAML profiles: `apt_apt28.yaml`,
+`apt_apt29.yaml`, `apt_apt41.yaml`, `apt_conti.yaml`, `apt_fin7.yaml`,
+`apt_lazarus.yaml`, `apt_lockbit.yaml`. Each maps a sequence of LazyOwn
+commands onto MITRE technique IDs so an operator can replay a campaign
+end-to-end for purple-team validation. Separately, `lazyadversaries/`
+holds technique-level building blocks (AMSI, persistence, shellcode
+injection) that the playbooks compose.
+
+Run a profile with:
+
+```
+playbook_generate <profile>
+playbook_run <profile>
+```
+
+The reward shaping in `skills/autonomous_daemon.py` scores each step
+against the technique it was tagged with, so detection telemetry can be
+correlated back to ATT&CK directly.
+
+---
+
+## What this matrix is not
+
+- It is **not** a guarantee that every technique works against every target
+  out of the box. Many require operator judgement (correct OS, correct
+  privilege, correct service version).
+- It is **not** a substitute for reading the relevant `do_*` docstring,
+  addon YAML, or `parquets/` knowledge base.
+- It is **not** updated automatically. When you add a `do_*` covering a new
+  technique, edit the table in the same change. A row added here without
+  a working command will be removed at review.