Mythic Documentation
Search…
Version 2.3
Mythic
Operators
Installation
Internal Documentation
Quick Usage
Operational Pieces
Message Flow
Understanding Commands
Payload Types
C2 Profiles
Reporting
Scripting
Presentations / Webinars
Common Errors
Customizing
Hooking Features
Payload Type Development
C2 Related Development
C2 Profile Code
Agent Side Coding
Delegates (p2p)
Agent Message Format
Action: Checkin
Action: get_tasking
Action: post_response
SOCKS
Server Side Coding
Common Questions and Answers
FAQ / Troubleshooting Tips
Change Log
Next Release
Tip of the Week
Updating
Mythic 2.1 -> 2.2 Updates
Mythic 2.2 -> 2.3 Updates
Powered By GitBook
Action: post_response

Endpoint

All agent messages go to the same endpoint: /api/v1.4/agent_message

Message Request

The contents of the JSON message from the agent to Mythic when posting tasking responses is as follows:
1
Base64( CallbackUUID + JSON(
2
{
3
"action": "post_response",
4
"responses": [
5
{
6
"task_id": "uuid of task",
7
... response message (see below)
8
},
9
{
10
"task_id": "uuid of task",
11
... response message (see below)
12
}
13
], //if we were passing messages on behalf of other agents
14
"delegates": [
15
{"message": agentMessage, "c2_profile": "ProfileName", "uuid": "uuid here"},
16
{"message": agentMessage, "c2_profile": "ProfileName", "uuid": "uuid here"}
17
]
18
}
19
)
20
)
Copied!
There are two things to note here:
  • responses - This parameter is a list of all the responses for each tasking.
    • For each element in the responses array, we have a dictionary of information about the response. We also have a task_id field to indicate which task this response is for. After that though, comes the actual response output from the task.
      • If you don't want to hook a certain feature (like sending keystrokes, downloading files, creating artifacts, etc), but just want to return output to the user, the response section can be as simple as: {"task_id": "uuid of task", "user_output": "output of task here"}
    • Each response style is described in Hooking Features. The format described in each of the Hooking features sections replaces the ... response message piece above
      • To continue adding to that JSON response, you can indicate that a command is finished by adding "completed": true or indicate that there was an error with "status": "error".
  • delegates - This parameter is not required, but allows for an agent to forward on messages from other callbacks. This is the peer-to-peer scenario where inner messages are passed externally by the egress point. Each of these messages is a self-contained "Agent Message".

Message Response

Mythic responds with the following message format for post_response requests:
1
Base64( CallbackUUID + JSON(
2
{
3
"action": "post_response",
4
"responses": [
5
{
6
"task_id": UUID,
7
"status": "success" or "error",
8
"error": 'error message if it exists'
9
}
10
],
11
//if we were passing messages on behalf of other agents
12
"delegates": [
13
{"message": agentMessage, "c2_profile": "ProfileName", "uuid": "uuid here"},
14
{"message": agentMessage, "c2_profile": "ProfileName", "uuid": "uuid here"}
15
]
16
}
17
)
18
)
Copied!
There are two things to note here:
  • responses - This parameter is always a list and contains a success or error + error message for each task that was responded to.
  • delegates - This parameter contains any responses for the messages that came through in the first message
Previous
Action: get_tasking
Next
SOCKS
Last modified 7mo ago
Copy link
Edit on GitHub
Contents
Endpoint
Message Request
Message Response