Hooking Features
All of the following features describe information that can be included in responses. These sections describe some additional JSON formats and data that can be used to have your responses be tracked within Mythic or cause the creation of additional elements within Mythic (such as files, credentials, artifacts, etc).
You can hook multiple features in a single response because they're all unique. To display something to the user, it should be in the user_outputfield, such as:
{"user_output": "Still working",}​or even{"user_output": "{\"key": \"nested json for user as string\"}"}
The various styles of output are described in the follow-on pages:
​Download​
​Keylog​
​Process_List​
​Artifacts​
​Credentials​
​P2P Connections​
When we talk about Hooking Features in the Action: post_response message of an agent, we're really talking about a specific set of Dictionary key value pairs that have special meaning. All responses from the agent to the Mythic server already have to be in a structured format. Each of the above sections goes into what their reserved keywords mean, but a total list is found below:
total_chunks - integer - used with file uploads/downloads for chunking
chunk_num - integer - use with file uploads/downloads for chunking
chunk_size - integer - used with file uploads/downloads for chunking
task_id - string - UUID associated with tasks
full_path - string - used with file uploads/downloads to report back the full path of the file (ex: test.txt is meaningless, full_path would report back C:\Users\username\Desktop\test.txt)
user_output - string - used with any command to display information back to the user
completed - boolean - used with any command to indicate that the task is done (switches to the green completed icon)
status - string - used to indicate that a command is not only done, but has encountered an error (value would be "error")
file_id - string (uuid to be specific) - used with file uploads/downloads and any command wishing to utilize chunking for files
artifacts - array - an array of artifact objects that report back artifacts created on disk/on the network
credentials - array - an array of credential objects that report back credentials gathered from the host
window_title - string - the title of the window associated with keystrokes for a keylogger
user - string - the user associated with keystrokes for a keylogger
keystrokes - string - the keystrokes for a keylogger
edges - array - an array of P2P linking/unlinking information
commands - array - an array of command updating information (telling mythic that the callback loaded/unloaded commands)
file_browser - dictionary - a dictionary of information about the file/folder with potentially a nested array to give details about all of the files within a folder
process_response - this is passed to your command's python file for processing in the
process_responsefunction.
As you're developing an agent to hook into these features, it's helpful to know where to look if you have questions. All of the Task, Command, and Parameter definitions/functions available to you are defined in the mythic_payloadtype_container PyPi Container, MythicCommandBase.py, which is hosted on the MythicMeta Organization on GitHub. Information about the Payload Type itself (BuildResponse, SupportedOS, BuildParameters, PayloadType, etc) can be found in the PayloadBuilder.py file in the same PyPi repo.
