Mythic Documentation
Version 3.3
Version 3.3
  • Mythic
  • Operators
  • Installation
    • Connecting
    • A note about containers
    • Offline Installation
    • Updating Mythic
  • Internal Documentation
  • Quick Usage
  • Operational Pieces
    • MITRE ATT&CK
    • Operations
    • Browser Scripts
    • Active Callbacks
    • Files
    • Search
    • File Browser
    • Socks Proxy
    • Credentials
    • Comments
    • Tags
    • Expanded Callbacks
    • Screenshots
    • Event Feed
    • Understanding Commands
      • Basic Information
      • Parameters
      • MITRE ATT&CK in Commands
    • Payload Types
      • Containers
    • C2 Profiles
      • C2 Server Utilities
      • Egress vs P2P
      • HTTP
      • dynamicHTTP
      • Save Parameters
    • API Tokens
  • Message Flow
    • Building Payloads
    • Agent Sends Message
    • File Upload Mythic->Agent
    • File Download Agent->Mythic
    • P2P Messages
    • Operator Submits Tasking
  • Database Schema
  • Reporting
    • Artifacts
    • MITRE ATT&CK
    • Reports
  • Scripting
  • Presentations / Webinars
  • Common Errors
  • MythicTips
  • Customizing
    • Customizing Public Agent
    • Hooking Features
      • Actions
      • Linking Agents
        • P2P Connections
      • Process Browser
      • Artifacts
      • Credentials
      • File Downloads (Agent -> Mythic)
      • File Uploads (Mythic -> Agent)
      • Screenshots
      • Add / Remove Commands
      • Keylog
      • File Browser
      • Tokens
      • Alerts
      • SOCKS
      • RPFWD
      • Interactive Tasking
      • Task Status
      • OnContainerStart
    • 1. Payload Type Development
      • 2. Payload Type Definition
        • Container Syncing
        • Turning a VM into a Container
      • 3. Adding Commands
        • Commands
      • 4. Create Tasking & Comms Format
        • Agent Messages
          • 1. Agent Message Format
          • 2. Checkin
          • 3. Get Tasking
          • 4. Submitting Responses
          • 5. SOCKS
          • 6. Reverse Port Forward
          • 7. Peer-to-peer messages
          • 8. Interactive Tasking
      • 5. MythicRPC
      • 6. Browser Scripting
      • 7. Dynamic Parameter Values
      • 8. Sub-tasking / Task Callbacks
      • 9. OPSEC Checking
      • 10. Translation Containers
      • 11. Process Response
      • 12 TypedArray Parse Function
      • 13. SOCKS
      • 14. Reverse PortFwd
      • 15. Interactive Tasking
    • 2. C2 Development
      • Docker & Server Config
        • 1. Docker Containers
        • 2. Configuration Files
        • 3. OPSEC Checks
        • 4. Configuration Checks
        • 5. Sample Message
        • 6. File Hosting
        • 7. Redirect Rules
        • 8. Get IOC
        • 9. Push C2
    • 3. Consuming Containers
      • Webhooks
      • Logging
      • Eventing
        • Operator Context (run_as)
        • Workflow Triggers
        • Steps
      • Auth
    • 4. Extending Agent Commands
    • Mythic UI Development
  • Common Questions and Answers
    • FAQ / Troubleshooting Tips
    • Change Log
    • Tip of the Week
  • Updating
    • Mythic 2.1 -> 2.2 Updates
      • Agents 2.1.* -> 2.2.8
        • MythicRPC
    • Mythic 2.2 -> 2.3 Updates
      • Agents 2.2 -> 2.3
    • Mythic 2.3 -> 3.0 Updates
      • Agents 2.3 -> 3.0
    • Mythic 3.2->3.3 Updates
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Customizing
  2. 3. Consuming Containers

Webhooks

Webhook Structure

Webhooks are notified of certain events in an asynchronous manner and submit that data to pre-configured webhook URLs. Webhooks can take advantage of everything you can do via Scripting by using the MythicRPCAPITokenCreate functionality. This function provides a temporary, trackable API token that can be used to interact with the GraphQL API. The benefit here is that if you want or need more information than what's directly provided by the webhook message, you can fetch it from GraphQL.

type WebhookDefinition struct {
	Name                     string
	Description              string
	WebhookURL               string
	WebhookChannel           string
	NewFeedbackFunction      func(input NewFeedbackWebookMessage)
	NewCallbackFunction      func(input NewCallbackWebookMessage)
	NewStartupFunction       func(input NewStartupWebhookMessage)
	NewAlertFunction         func(input NewAlertWebhookMessage)
	NewCustomFunction        func(input NewCustomWebhookMessage)
	Subscriptions            []string
	OnContainerStartFunction func(sharedStructs.ContainerOnStartMessage) sharedStructs.ContainerOnStartMessageResponse
}

for example:

func Initialize() {
	myWebhooks := webhookstructs.WebhookDefinition{
		Name:                "my_webhooks",
		Description:         "default webhook for slack example",
		NewFeedbackFunction: newfeedbackWebhook,
		NewCallbackFunction: newCallbackWebhook,
		NewStartupFunction:  newStartupMessage,
	}
	webhookstructs.AllWebhookData.Get("my_webhooks").AddWebhookDefinition(myWebhooks)
}

There's also a built-in function you can leverage to get the webhook url and channel:

func newCallbackWebhook(input webhookstructs.NewCallbackWebookMessage) {
    newMessage := webhookstructs.GetNewDefaultWebhookMessage()
    newMessage.Channel = webhookstructs.AllWebhookData.Get("my_webhooks").GetWebhookChannel(input, webhookstructs.WEBHOOK_TYPE_NEW_CALLBACK)
    var webhookURL = webhookstructs.AllWebhookData.Get("my_webhooks").GetWebhookURL(input, webhookstructs.WEBHOOK_TYPE_NEW_CALLBACK)
    if webhookURL == "" {
       logging.LogError(nil, "No webhook url specified for operation or locally")
       go mythicrpc.SendMythicRPCOperationEventLogCreate(mythicrpc.MythicRPCOperationEventLogCreateMessage{
          OperationId:  &input.OperationID,
          Message:      "No webhook url specified, can't send webhook message",
          MessageLevel: mythicrpc.MESSAGE_LEVEL_WARNING,
       })
       return
    }
   ...
}

  • Name - this is the name of your webhook container

  • Description - this is the description for your container (probably provides insight if you're going to submit to Slack, Discord, or some other service)

  • WebhookURL - this is an optional URL you can configure for the actual webhook to use. Configuring it here makes it take the highest precedence when it comes time to actually send the webhook, but has the downside of being hardcoded. You can also optionally configure this on a per-operation basis in your Operation in the UI. The last place you can configure this is in the .env file for Mythic as the 

    WEBHOOK_DEFAULT_URL

    variable.

  • WebhookChannel - similar to the WebhookURL, this is the channel you're going to send your webhook. This can also be configured via the .env as a series of WEBHOOK_DEFAULT_*_CHANNEL to allow you to configure a different channel per type of notification.

  • The *Functions are what get executed when an event of that type happens. If, for example, you don't want to handle processing NewFeedback messages from Mythic, then you can simply not provide a function here (or set it to nil / None explicitly) and Mythic won't even bother sending the notification down to your container.

  • OnContainerStartFunction - this allows you to perform additional processing/setup when your container comes online and syncs up with Mythic. You get a temporary (5min) Spectator token for each active operation. This means that if there are two active operations in Mythic, then this function gets called twice, once for each operation. This is so that if you need to do some sort of configuration that's specific to an operation, you can fetch data for that operation.

Previous3. Consuming ContainersNextLogging

Last updated 10 months ago

Was this helpful?