Mythic Documentation
Version 3.3
Version 3.3Version 3.0Version 2.3
Version 3.3
Version 3.3Version 3.0Version 2.3
  • Mythic
  • Operators
  • Installation
    • Connecting
    • A note about containers
    • Offline Installation
    • Updating Mythic
  • Internal Documentation
  • Quick Usage
  • Operational Pieces
    • MITRE ATT&CK
    • Operations
    • Browser Scripts
    • Active Callbacks
    • Files
    • Search
    • File Browser
    • Socks Proxy
    • Credentials
    • Comments
    • Tags
    • Expanded Callbacks
    • Screenshots
    • Event Feed
    • Understanding Commands
      • Basic Information
      • Parameters
      • MITRE ATT&CK in Commands
    • Payload Types
      • Containers
    • C2 Profiles
      • C2 Server Utilities
      • Egress vs P2P
      • HTTP
      • dynamicHTTP
      • Save Parameters
    • API Tokens
  • Message Flow
    • Building Payloads
    • Agent Sends Message
    • File Upload Mythic->Agent
    • File Download Agent->Mythic
    • P2P Messages
    • Operator Submits Tasking
  • Database Schema
  • Reporting
    • Artifacts
    • MITRE ATT&CK
    • Reports
  • Scripting
  • Presentations / Webinars
  • Common Errors
  • MythicTips
  • Customizing
    • Customizing Public Agent
    • Hooking Features
      • Actions
      • Linking Agents
        • P2P Connections
      • Process Browser
      • Artifacts
      • Credentials
      • File Downloads (Agent -> Mythic)
      • File Uploads (Mythic -> Agent)
      • Screenshots
      • Add / Remove Commands
      • Keylog
      • File Browser
      • Tokens
      • Alerts
      • SOCKS
      • RPFWD
      • Interactive Tasking
      • Task Status
      • OnContainerStart
    • 1. Payload Type Development
      • 2. Payload Type Definition
        • Container Syncing
        • Turning a VM into a Container
      • 3. Adding Commands
        • Commands
      • 4. Create Tasking & Comms Format
        • Agent Messages
          • 1. Agent Message Format
          • 2. Checkin
          • 3. Get Tasking
          • 4. Submitting Responses
          • 5. SOCKS
          • 6. Reverse Port Forward
          • 7. Peer-to-peer messages
          • 8. Interactive Tasking
      • 5. MythicRPC
      • 6. Browser Scripting
      • 7. Dynamic Parameter Values
      • 8. Sub-tasking / Task Callbacks
      • 9. OPSEC Checking
      • 10. Translation Containers
      • 11. Process Response
      • 12 TypedArray Parse Function
      • 13. SOCKS
      • 14. Reverse PortFwd
      • 15. Interactive Tasking
    • 2. C2 Development
      • Docker & Server Config
        • 1. Docker Containers
        • 2. Configuration Files
        • 3. OPSEC Checks
        • 4. Configuration Checks
        • 5. Sample Message
        • 6. File Hosting
        • 7. Redirect Rules
        • 8. Get IOC
        • 9. Push C2
    • 3. Consuming Containers
      • Webhooks
      • Logging
      • Eventing
        • Operator Context (run_as)
        • Workflow Triggers
        • Steps
      • Auth
    • 4. Extending Agent Commands
    • Mythic UI Development
  • Common Questions and Answers
    • FAQ / Troubleshooting Tips
    • Change Log
    • Tip of the Week
  • Updating
    • Mythic 2.1 -> 2.2 Updates
      • Agents 2.1.* -> 2.2.8
        • MythicRPC
    • Mythic 2.2 -> 2.3 Updates
      • Agents 2.2 -> 2.3
    • Mythic 2.3 -> 3.0 Updates
      • Agents 2.3 -> 3.0
    • Mythic 3.2->3.3 Updates
Powered by GitBook
On this page
  • What are they?
  • Trigger Options

Was this helpful?

Export as PDF
  1. Customizing
  2. 3. Consuming Containers
  3. Eventing

Workflow Triggers

PreviousOperator Context (run_as)NextSteps

Last updated 10 months ago

Was this helpful?

What are they?

Triggers are the "events" that kick off your workflow. They typically involve something "happening" within Mythic's sphere of influence and sometimes allow you to add some additional context via trigger_data.

trigger_data isn't set in stone and can be expanded upon over time. If you have additional ideas for trigger data, let me know!

Trigger Options

  • manual - This workflow is triggered manually in the UI via the green run icon.

    • trigger_data - N/A

  • keyword - This workflow is triggered by a keyword and optional dictionary of contextual data.

    • trigger_data - dictionary of any extra data you want to send along. Normally, this is an extra way of triggering a workflow that's normally triggered in another way. In that case, you should probably pass along in the trigger_data whatever your workflow normally expects.

  • mythic_start - This workflow is triggered when Mythic starts.

    • trigger_data - N/A

  • cron - This workflow is triggered on a cron schedule.

    • trigger_data - Dictionary with the following keys:

      • cron - a normal cron string indicating when you want to execute this workflow. This is a handy place to check out for cron execution strings ().

  • payload_build_start - This workflow is triggered when a Payload first starts being built.

    • trigger_data - Dictionary with the following keys:

      • payload_types - a list of all the payload types where you want this to trigger. If you don't specify any, then it will trigger for all payload types.

  • payload_build_finish - This workflow is triggered when a Payload finishes being built (either successfully or with an error).

    • trigger_data - Dictionary with the following keys:

      • payload_types - a list of all the payload types where you want this to trigger. If you don't specify any, then it will trigger for all payload types.

  • task_create - This workflow is triggered when a Task is first created and sent for preprocessing.

    • trigger_data - N/A

  • task_start - This workflow is triggered when a Task is picked up by an agent to start executing.

    • trigger_data - N/A

  • task_finish - This workflow is triggered when a Task finishes (at any point in the task lifecycle) either successfully or with an error.

    • trigger_data - N/A

  • user_output - This workflow is triggered when a Task returns new output in the user_output field for the user to see in the UI.

    • trigger_data - N/A

  • file_download - This workflow is triggered when a file finishes downloading from a callback.

    • trigger_data - N/A

  • file_upload - This workflow is triggered when a file finishes uploading to Mythic.

    • trigger_data - N/A

  • screenshot - This workflow is triggered when a screenshot finishes downloading from a callback.

    • trigger_data - N/A

  • alert - This workflow is triggered when an agent sends an alert back to Mythic.

    • trigger_data - N/A

  • callback_new - This workflow is triggered when a new callback is created.

    • trigger_data - Dictionary with the following keys:

      • payload_types - a list of all the payload types where you want this to trigger. If you don't specify any, then it will trigger for all payload types.

  • task_intercept - This workflow is triggered after a Task finishes its opsec_post check to allow one more chance for a task to be blocked.

    • trigger_data - N/A

  • response_intercept - This workflow is triggered when a Task returns new output in the user_output field for the user to see in the UI, but first passes that output to this workflow for modification before saving it in the database.

    • trigger_data - N/A

https://crontab.guru/