Change Log

What's new for 2.3?

• New React-based User Interface

• New Parameter group based command parsing when tasking

  • Users can tab-complete command parameters

  • Parameter Groups allow for conditional parameter sets

  • Tasking tracks if issued from command line, parsed cli, modals, browser scripts

• Updated MITRE ATT&CK mappings

• Reporting updated to use LaTeX for PDF generation

  • can generate PDF, raw LaTeX, or JSON output

  • Reporting can now filter out callbacks, users, or hosts

  • Reporting has an option for a MITRE ATT&CK overview with counts at the end

• Browser Scripting updated

  • Browser scripts now return dictionaries instead of raw HTML

  • Users can issue follow-on tasks right from browser scripts

  • Browser Scripts can generate tables, download links, links to search pages, and screenshot buttons

• Improved search page

  • Can search across tasking, callbacks, files, screenshots, tokens, and more

  • Searches can be saved and linked to via the updated URL bar

• Translation containers now tracked in the UI and indicated when they are associated or not associated to payload type containers

• Improved information for C2 profile status (container running vs internal server running)

• Payloads page shows which C2 profiles are loaded into the payloads and if those profiles are currently running or not

• You can re-trigger a payload to build from the payloads page without having to go through all the steps again

• C2 profiles can expose redirect rules and check agent configurations to make sure everything aligns well between the two. These functions exist within the C2 Profile container and are taskable through the payloads page in the UI.

• The main callbacks page has new icons for the egress route of agents (wifi or link icon) that, when clicked, will show a graph view of the egress path of that agent's traffic.

• The main callbacks page can track the sleep information for a callback automatically (based on the agent updating it for the callback) and display it (orange or blue alarm clock icon)

• All columns on the main callbacks page are filterable based on data or can be hidden completely by right clicking on the column headers.

  • This also applies to all of the tables generated via browser scripting

• Response output is now paginated to help reduce the stress of streaming a lot of output for agents

• Response tables in from browser scripts are now virtualized to help reduce the stress of displaying hundreds or thousands of rows at a time

• Normal output is now displayed via an Ace editor, so if the output is JSON, you can collapse/expand sections like a normal text editor

• Graph view now uses Dagre for D3 rendering of graphs and automatically groups agents together on the same host for easier reading

  • The display can be changed via the dropdown on the top left for:

    • Left-to-right or bottom-to-top directions

    • Showing all callbacks or just the active ones

    • Showing all edges or only the active edges

    • The resulting graph can be saved as a PNG for easier inclusion in reports

• GraphQL endpoints have been added for the new React user interface

  • the scripting PyPi package will eventually move to use these instead of the REST endpoints

What's new for 2.2?

• "translation container" support for agent's that want their own custom c2 message spec and support for arbitrary other encryption outside of the default Mythic supported ones

• OPSEC scripting checks, logging, bypasses for tasking

• Alpha version of new back-end/UI updates for nginx reverse proxy, hasura graphql, and react

• All Payload Types moved out of main Mythic repo and into Mythic Agents organization

• Track sleep information in UI in easy-to-see form (new UI only)

• Track linked agent info in the table ui form of working with callbacks (new ui only)

• New way of viewing linked agents in the UI using dagre-d3 instead of raw d3 (new ui only)

• Commands track which OS they support. This helps things payload types like poseidon that might have os-specific commands since golang can compile to multiple operating systems

• Deleted payloads can't be used to create new callbacks - instead, mythic will generate a warning in the UI alerting you with information about the payload, but the agent will get a 404 and blank message back.

• De-duplication of alert messages

• Tasks can change their display_params in the create_tasking function to alter what user's see - this helps with ugly large json blocks from using structured input. The original parameters can still be queried through the UI if the user wants to see the original JSON

• Tasks can set stdout/stderr during create_tasking to help with debugging or recreating artifacts

• Payload creation can track its own build_message , build_stderr , and build_stdoutfor stdout and stderr messages to make it easier to see what happened during creation. This split information is also viewable via the Created Payloads page.

• Command parameters can opt to have their choices be all commands for a payload type or all loaded commands

• Command parameters can filter down their choices based on command attributes (supported os and if they support process injection)

• Password policy now added - requires all passwords to be at least 12 characters long

• Mythic scripting (i.e. the mythic PyPi package) has been updated to version 0.0.19 to support these changes

• C2 Profile specific OPSEC checks - provide an opsec function to your C2 Profiles to check if the parameters that the operator selected pass your risk-level before even allowing a payload to be created.

• RPC Calls are updated within the Payload Type containers to allow for dynamic queries and updates. New RPC calls just import one file

• Removed ability for users to create new accounts on the login page

• Re-build payload option from the created payloads page

• Export payload from created payloads page and import it in the payloads creation page to trigger a new payload

• Starting Mythic with MYTHIC_DEBUG environment variable or debug set to true in the mythic-docker/config.json file will cause mythic to be extremely verbose in agent messages to help with debugging development

• Merged in a pull request to update ATT&CK to ATT&CK v9

• All Payload Types and C2 Profiles are split out from the main Mythic repo. If you just install mythic and start it, there will be no payload types or c2 profiles that sync in. You need to leverage the installer script to install additional agents from GitHub

  • To help support this and keep track of these sorts of updates, containers now have "versions" and the main Mythic server has a range of supported container versions. If you have a container that tries to check in that's outside that range, you'll get a warning in the Mythic UI.

• All Payload Types need to do the following:

  • Control for container files have been moved into PyPi packages rather than just raw files on disk so that updating them will be easier going forward. The current version needed for this is version 0.0.42 (yes, lots of development has been going on): pip install mythic_payloadtype_container==0.0.42.

  • If you are using a DockerImage from the itsafeaturemythic repo, update to the latest:

    • csharp_payload==0.0.11

    • python38_payload==0.0.4

    • xgolang_payload==0.0.9

    • leviathan_payload==0.0.4

• All C2 Profiles need to do the following:

  • Control for container files has been moved into PyPi packages rather than just raw files on disk so that updating them will be easier going forward. The current version needed for this is version 22: pip install mythic_c2_container==0.0.22

• Mythic crypto is defined by the Payload Type now rather than the C2 profile. This is part of a change to keep each container in charge of just one thing. Payload Types by default have Mythic handle their crypto, to have a Payload Type do something other than what Mythic does, set mythic_encrypts = False in the builder file for your Payload Type.

• To more easily support various crypto components going forward, the selection and usage of Crypto parameters in C2 profiles has changed slightly. There's no longer a requirement that the parameter name be AESPSK. Instead, there is another field you can specify for any parameter that crypto_type=True. This specifies that the resulting thing that the user selects/inputs defines what kind of crypto to use. This is simply a boolean value so that you can still leverage the C2 Parameter as normal (string input, choose one, etc) with the expectation that the final value is the type of crypto. In the case of Mythic's standard crypto, the value would be aes256_hmac. This means that Mythic no longer auto-generates a base64 of an AES256 key when displayed to the user, this happens behind the scenes if the resulting type is aes256_hmac.

  • This also causes some variation when building your payload. Normally, you get a dictionary of {"key": "value"} for each C2 Profile parameter for you to leverage when building your payload. For crypto though, this could be highly variable and the components that you want to leverage could vary widely. So, if the parameter has crypto_type=True, then you'll get a dictionary of values. This is split out by type, encryption key, and decryption key because you might want to leverage some pub/priv key asymmetric crypto where those pieces are different or you might want to leverage some other kind of symmetric crypto.

{
    "key":
    {
        "crypto_type": "the value that the user selected, like aes256_hmac",
        "enc_key": "base64 of the encryption key",
        "dec_key": "base64 of the decryption key"
    }
}

• Make sure you update your pip install of the mythic==0.0.19 package for scripting to handle the updated aspects of these objects.

What Changed for 2.0?

• Rebranded Apfell to Mythic

• Added File Browser support to the apfell and poseidon agents

• Added SOCKS5 support to poseidon

• Added user roles during operations (operator, developer, spectator)

• Added a documentation docker container with more verbose details including overviews, traffic flows, opsec considerations, and detailed help/info

• Updated the general UI for Mythic

• Updated the event logging system for "warnings" that can be resolved

• Added ability for search to look through file browsing and eventing data as well

• Operator feedback if their parameters don't meet certain validation requirements before the commands even make it to the agents

• Complete restructuring of how a developer uses/creates agents/c2 profiles

• Added RPC call functionality from payload type and c2 profile containers to the main mythic instance to start hooking into the back-end for scripting

What changed for 1.4?

• Toggle timestamp view in the UI to see either UTC timestamps or localized timestamps

• Persistent, unified processes listings based on the host

• Persistent, unified file browser

• Badges to see the number of new tasks on a callback you're not currently viewing

• More malleable HTTP-based C2 profile with a JSON config

  • Cookie Support

  • Arbitrary transforms to text (base64, append, prepend, add random values, etc etc)

  • Proxy Support

  • User Agent strings

• Slack notifications on new callbacks

  • The ability to have this only fire for specific payloads (i.e. you might not want it to happen for all of your lateral movement payloads, but do want it to fire for your phishing payloads)

• Exportable search results (just export the page or the entire results of a search query)

• Exportable artifact search results (just the page or the entire results)

• More granular search controls

  • Filter search by operator

• Duplicate saved parameters for c2 profiles to make quick edits

• Edit credentials that are saved in the database

• Add comments to the saved credentials

• Export final report in JSON format

• Export information about downloaded / uploaded files

• Automatically calculate MD5/SHA1 of files

• Badge notifications and searching for Keylogging

• Task comments shown when viewing files

• Download command output as a text file

• Selective caching of responses so large output doesn't slow down the entire callback

• Confirmation for mass exit/remove via the UI of callbacks

• Issuing a command that causes a parameter popup will first try to auto-populate the values with the last instance of the command you ran on that callback

• Save current browsing view in main callback window across refreshes (open tabs)

• 8hr default token expiration and browser will auto-renew periodically so that there are fewer interruptions in longer ops

• Use tab to select autocomplete option and up/down arrows to toggle through autocomplete options

• Use ctrl+[ and ctrl+] to navigate previous/next tab in the active callbacks tab.

• set callback description from command line via set description my description and reset it back to the default for the payload with set description reset

• Your open tabs for the active callbacks view will be remembered per-browser

• View Apfell's web log from within the main web UI

• Only start select payload type containers when starting Apfell - ./start_apfell.sh viper will only start the viper payload type container, but all of the c2 profiles and main containers will still start.

• Turn arbitrary VMs into Apfell compatible containers

• Import and export single commands at a time instead of the whole payload type

• C2 profiles support jitter percentages

• Kill Dates in C2 profiles

• Bulk download files from downloads page as zip file

• Strict argument checking on tasking to make sure required parameters are given

• Provide a single streaming list of tasking for all callbacks combined that the operation lead can watch

• Filter callback viewable tasks to a single operator or all operators, certain command, and certain task ranges

• Add new buttons for hiding or exiting multiple callbacks at once

• C2 profiles have associated Notes, Sample Server configuration, and Sample Client configurations that are present from the main UI to give context and base configuration information. This will be particularly useful as C2 profiles grow more complex.

• Provide and an interface for supporting P2P communications and visualizations

• Provide a recommended style guide for how to create new payloads to best fit in and leverage all of Apfell's features

• Integration of Poseidon Agent

• Integration of Atlas Agent

• Integration of Chrome-extension Agent

• Introduction of command-line short-hands such as swap_filenames to allow operators to type uploaded filenames, but have agents get file IDs instead.

• All files are now contained within the Apfell folder, no more docker volumes mounted in weird spots automatically

• Edit C2 profile code and configurations right in the browser

• Included an 'event log' to see all events Apfell is doing behind the scenes as well as allow operators to 'chat' and store messages within their operation. If an operator sends a message on this screen, it'll be shown to all operators in that operation that are on the Active Callbacks page.

• Included a 'web log' to see all the web requests to Apfell in the UI

• Broke out transforms for commands and create/load operations to mirror the style of browser scripts

• Exporting/Importing a payload type will bring along with it: payload code, all associated transforms, all command code, all browser scripts, and all c2 profile associated code.