Mythic Documentation
Mythic Documentation
Mythic
Installation
Internal Documentation
Quick Usage
Operational Pieces
Message Flow
Understanding Commands
Payload Types
C2 Profiles
Reporting
Scripting
Customizing
Hooking Features
Payload Type Development
C2 Related Development
C2 Profile Code
Agent Side Coding
Agent Message Format
Action: Checkin
Action: get_tasking
Action: post_response
Action: upload
Server Side Coding
Common Questions and Answers
FAQ / Troubleshooting Tips
Change Log
Next Release
Powered by GitBook

Action: post_response

Endpoint

All agent messages go to the same endpoint: /api/v1.4/agent_message

Message Request

The contents of the JSON message from the agent to Apfell when posting tasking responses is as follows:

Base64( CallbackUUID + JSON(
{
	"action": "post_response",
	"responses": [
		{
			"task_id": "uuid of task",
			... response message (see below)
		},
		{
			"task_id": "uuid of task",
			... response message (see below)
		}
	], //if we were passing messages on behalf of other agents
	"delegates": [
		{"UUID1": agentMessage},
		{"UUID2": agentMessage}
		]
}
)
)

There are two things to note here:

  • responses - This parameter is a list of all the responses for each tasking.

    • For each element in the responses array, we have a dictionary of information about the response. We also have a task_id field to indicate which task this response is for. After that though, comes the actual response output from the task.

      • If you don't want to hook a certain feature (like sending keystrokes, downloading files, creating artifacts, etc), but just want to return output to the user, the response section can be as simple as: {"task_id": "uuid of task", "user_output": "output of task here"}

    • Each response style is described in Hooking Features. The format described in each of the Hooking features sections replaces the ... response message piece above

      • To continue adding to that JSON response, you can indicate that a command is finished by adding "completed": true or indicate that there was an error with "status": "error".

  • delegates - This parameter is not required, but allows for an agent to forward on messages from other callbacks. This is the peer-to-peer scenario where inner messages are passed externally by the egress point. Each of these messages is a self-contained "Agent Message".

Message Response

Apfell responds with the following message format for post_response requests:

Base64( CallbackUUID + JSON(
{
	"action": "post_response",
	"responses": [
		{
			"task_id": UUID,
			"status": "success" or "error",
			"error": 'error message if it exists'
		}
	],
	//if we were passing messages on behalf of other agents
	"delegates": [
		{"UUID1": agentMessage},
		{"UUID2": agentMessage}
		]
}
)
)

There are two things to note here:

  • responses - This parameter is always a list and contains a success or error + error message for each task that was responded to.

  • delegates - This parameter contains any responses for the messages that came through in the first message

Previous
Action: get_tasking
Next
Action: upload
Last updated 1 year ago
Contents
Endpoint
Message Request
Message Response