Mythic

Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is designed to "plug-n-play" with various agents and communication channels.[1][2][3] Deployed Mythic C2 servers have been observed as part of potentially malicious infrastructure.[4]

ID: S0699
Type: TOOL
Platforms: Windows, Linux, macOS
Contributors: Cody Thomas, SpecterOps
Version: 1.0
Created: 26 March 2022
Last Modified: 18 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mythic supports HTTP-based C2 profiles.[3]

.002 Application Layer Protocol: File Transfer Protocols

Mythic supports SMB-based peer-to-peer C2 profiles.[3]

.004 Application Layer Protocol: DNS

Mythic supports DNS-based C2 profiles.[3]

Enterprise T1119 Automated Collection

Mythic supports scripting of file downloads from agents.[3]

Enterprise T1132 Data Encoding

Mythic provides various transform functions to encode and/or randomize C2 data.[3]

Enterprise T1030 Data Transfer Size Limits

Mythic supports custom chunk sizes used to upload/download files.[3]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Mythic supports SSL encrypted C2.[3]

Enterprise T1008 Fallback Channels

Mythic can use a list of C2 URLs as fallback mechanisms in case one IP or domain gets blocked.[3]

Enterprise T1095 Non-Application Layer Protocol

Mythic supports WebSocket and TCP-based C2 profiles.[3]

Enterprise T1572 Protocol Tunneling

Mythic can use SOCKS proxies to tunnel traffic through another protocol.[3]

Enterprise T1090 .001 Proxy: Internal Proxy

Mythic can leverage a peer-to-peer C2 profile between agents.[3]

.002 Proxy: External Proxy

Mythic can leverage a modified SOCKS5 proxy to tunnel egress C2 traffic.[3]

.004 Proxy: Domain Fronting

Mythic supports domain fronting via custom request headers.[3]

References