Mythic Documentation
Version 3.3
Version 3.3
  • Mythic
  • Operators
  • Installation
    • Connecting
    • A note about containers
    • Offline Installation
    • Updating Mythic
  • Internal Documentation
  • Quick Usage
  • Operational Pieces
    • MITRE ATT&CK
    • Operations
    • Browser Scripts
    • Active Callbacks
    • Files
    • Search
    • File Browser
    • Socks Proxy
    • Credentials
    • Comments
    • Tags
    • Expanded Callbacks
    • Screenshots
    • Event Feed
    • Understanding Commands
      • Basic Information
      • Parameters
      • MITRE ATT&CK in Commands
    • Payload Types
      • Containers
    • C2 Profiles
      • C2 Server Utilities
      • Egress vs P2P
      • HTTP
      • dynamicHTTP
      • Save Parameters
    • API Tokens
  • Message Flow
    • Building Payloads
    • Agent Sends Message
    • File Upload Mythic->Agent
    • File Download Agent->Mythic
    • P2P Messages
    • Operator Submits Tasking
  • Database Schema
  • Reporting
    • Artifacts
    • MITRE ATT&CK
    • Reports
  • Scripting
  • Presentations / Webinars
  • Common Errors
  • MythicTips
  • Customizing
    • Customizing Public Agent
    • Hooking Features
      • Actions
      • Linking Agents
        • P2P Connections
      • Process Browser
      • Artifacts
      • Credentials
      • File Downloads (Agent -> Mythic)
      • File Uploads (Mythic -> Agent)
      • Screenshots
      • Add / Remove Commands
      • Keylog
      • File Browser
      • Tokens
      • Alerts
      • SOCKS
      • RPFWD
      • Interactive Tasking
      • Task Status
      • OnContainerStart
    • 1. Payload Type Development
      • 2. Payload Type Definition
        • Container Syncing
        • Turning a VM into a Container
      • 3. Adding Commands
        • Commands
      • 4. Create Tasking & Comms Format
        • Agent Messages
          • 1. Agent Message Format
          • 2. Checkin
          • 3. Get Tasking
          • 4. Submitting Responses
          • 5. SOCKS
          • 6. Reverse Port Forward
          • 7. Peer-to-peer messages
          • 8. Interactive Tasking
      • 5. MythicRPC
      • 6. Browser Scripting
      • 7. Dynamic Parameter Values
      • 8. Sub-tasking / Task Callbacks
      • 9. OPSEC Checking
      • 10. Translation Containers
      • 11. Process Response
      • 12 TypedArray Parse Function
      • 13. SOCKS
      • 14. Reverse PortFwd
      • 15. Interactive Tasking
    • 2. C2 Development
      • Docker & Server Config
        • 1. Docker Containers
        • 2. Configuration Files
        • 3. OPSEC Checks
        • 4. Configuration Checks
        • 5. Sample Message
        • 6. File Hosting
        • 7. Redirect Rules
        • 8. Get IOC
        • 9. Push C2
    • 3. Consuming Containers
      • Webhooks
      • Logging
      • Eventing
        • Operator Context (run_as)
        • Workflow Triggers
        • Steps
      • Auth
    • 4. Extending Agent Commands
    • Mythic UI Development
  • Common Questions and Answers
    • FAQ / Troubleshooting Tips
    • Change Log
    • Tip of the Week
  • Updating
    • Mythic 2.1 -> 2.2 Updates
      • Agents 2.1.* -> 2.2.8
        • MythicRPC
    • Mythic 2.2 -> 2.3 Updates
      • Agents 2.2 -> 2.3
    • Mythic 2.3 -> 3.0 Updates
      • Agents 2.3 -> 3.0
    • Mythic 3.2->3.3 Updates
Powered by GitBook
On this page
  • Reserved Keywords
  • PayloadType Development Reference
  • Message Keywords and Structure

Was this helpful?

Export as PDF
  1. Customizing

Hooking Features

PreviousCustomizing Public AgentNextActions

Was this helpful?

All of the following features describe information that can be included in responses. These sections describe some additional JSON formats and data that can be used to have your responses be tracked within Mythic or cause the creation of additional elements within Mythic (such as files, credentials, artifacts, etc).

You can hook multiple features in a single response because they're all unique. For example, to display something to the user, it should be in the user_outputfield, such as:

{
    "user_output": "Still working",
}

or even
{
    "user_output": "{\"key": \"nested json for user as string\"}"
}

Reserved Keywords

When we talk about Hooking Features in the message of an agent, we're really talking about a specific set of Dictionary key value pairs that have special meaning. All responses from the agent to the Mythic server already have to be in a structured format. Each of the following sections goes into what their reserved keywords mean, but some simpler ones are:

  • task_id - string - UUID associated with tasks

  • user_output - string - used with any command to display information back to the user

  • completed - boolean - used with any command to indicate that the task is done (switches to the green completed icon)

  • status - string - used to indicate that a command is not only done, but has encountered an error or some other status to return to the user

  • process_response - this is passed to your command's python file for processing in the process_response function.

PayloadType Development Reference

Message Keywords and Structure

Throughout this section, the payload type development section, and the c2 message format sections, you'll see a lot of information about message structure. Here is a quick "cheat sheet" reference guide with links to the appropriate sections for more information. The following is an example of a get_tasking request to Mythic with almost every possible field added:

{ 
    "action": "get_tasking",
    "tasking_size": 1,
    "responses": [
        {
            "task_id": "uuid",
            "user_output": "something to show to the user",
            "completed": false,
            "status": "custom status here",
            "file_browser": {
                "host": "abc.com",
                "is_file": false,
                "permissions": {
                    "customField": customVal
                },
                "name": "C:\\",
                "parent_path": "",
                "success": true,
                "access_time": 1700164038000,
                "modify_time": 1700164038000,
                "size": 2300,
                "update_deleted": false,
                "files": [
                    "is_file": false,
                    "permissions": {
                        "customField": customVal
                    },
                    "name": "Users",
                    "access_time": 1700164038000,
                    "modify_time": 1700164038000,
                    "size": 12345
                ]
            },
            "removed_files": [
                {
                    "host": "abc.com", 
                    "path": "C:\\Users\\itsafeature\\Desktop\\evil.exe"
                }
            ],
            "credentials": [
                {
                    "credential_type": "plaintext",
                    "realm": "domain.com",
                    "account": "itsafeature",
                    "credential": "oh no my password!",
                    "comment": "scraped from lsass",
                    "metadata": "anything else you want to add"
                }
            ],
            "artifacts": [
                {
                    "base_artifact": "Process Create",
                    "artifact": "cmd.exe /C evil.exe",
                    "host": "abc.com"
                }
            ],
            "processes": [
                {
                    "host": "abc.com",
                    "process_id": 245,
                    "parent_process_id": 244,
                    "architecture": "x64",
                    "bin_path": "C:\\Users\\itsafeature\\Desktop\\evil.exe",
                    "name": "evil.exe",
                    "user": "itsafeature",
                    "command_line": "C:\\Users\\itsafeature\\Desktop\\evil.exe -f 2",
                    "integrity_level": 2,
                    "start_time": 1700164038000,
                    "description": "totally not malware: TM",
                    "signer": "",
                    "protected_process_level": 0,
                    "update_deleted": false,
                }
            ],
            "edges": [
                {
                    "source": "my uuid",
                    "destination": "uuid of remote callback",
                    "action": "remove",
                    "c2_profile": "smb",
                }
            ],
            "commands": [
                {
                    "action": "add",
                    "cmd": "shell"
                }
            ],
            "keylogs": [
                {
                    "window_title": "Notepad",
                    "user": "itsafeature",
                    "keystrokes": "password: abc123"
                }
            ],
            "tokens": [
                {
                    "action": "add",
                    "token_id": 34857,
                    "user": "acme\\bob",
                    "groups": "",
                    "privileges": "",
                    "thread_id": 12345,
                    "process_id": 2344,
                    "session_id": 1,
                    "logon_sid": "",
                    "integrity_level_sid": ""
                    "restricted": false,
                    "default_dacl": "",
                    "handle": 0,
                    "capabilities": "",
                    "app_container_sid": "",
                    "app_container_number": 0                    
                }
            ],
            "callback_tokens": [
                {
                    "action": "add",
                    "host": "abc.com",
                    "token_id": 34857,
                    "token": {
                        // same info from tokens if you wanted to add/update that data
                    }
                }
            ],
            "download": {
                "total_chunks": 4,
                "chunk_size": 512000,
                "host": "abc.com",
                "is_screenshot": false,
                "filename": "evil.exe",
                "full_path": "C:\\Users\\itsafeature\\Desktop\\evil.exe",
            },
            "upload": {
                "file_id": "uuid here",
                "host": "abc.com",
                "chunk_size": 512000,
                "chunk_num": 1,
                "full_path": "C:\\Users\\itsafeature\\Desktop\\replaced.exe"
            },
            "alerts": [{
                "alert": "lost connection to remote agent", 
                "level": "warning", 
                "source": "disconnection warning",
                "send_webhook": false,
            }],
            "process_response": {
                "custom field": "custom val"
            }
        }
    ],
    "alerts": [{
        "alert": "edr detected", 
        "level": "warning", 
        "source": "edr detection",
        "send_webhook": true,
        "webhook_alert": {
            "edr": "some edr name",
            "pid": 345
        }
    }],
    "edges": [{
        "action": "add", 
        "source": "my uuid", 
        "destination": "remote uuid",
        "c2_profile": "smb",
        "metadata": "anything else you want to add about the connection"
    }],
    "delegates": [{
        "c2_profile": "tcp",
        "message": "base64 message",
        "uuid": "some uuid tracker here"
    }],
    "socks": [{
        "server_id": 2345, 
        "data": "base64", 
        "exit": false
    }],
    "rpfwd": [{
        "server_id": 12345, 
        "data": "base64", 
        "exit": false
    }],
    "interactive": [{
        "task_id": "uuid of task that started interactive session", 
        "message_type": 0, 
        "data": "base64"
    }],
}

  • RemovedFiles

As you're developing an agent to hook into these features, it's helpful to know where to look if you have questions. All of the Task, Command, and Parameter definitions/functions available to you are defined in the mythic_container PyPi package, which is hosted on the MythicMeta Organization on GitHub. Information about the Payload Type itself (BuildResponse, SupportedOS, BuildParameters, PayloadType, etc) can be found in the file in the same PyPi repo.

Action: post_response
PayloadBuilder.py
Delegates
Socks
Rpfwd
Interactive
Edges
Alerts
Upload
Download
Callback Tokens
Tokens
Keylogs
ProcessResponse
Commands
Processes
Artifacts
Credentials
FileBrowser