Installation
Pull the code from the official GitHub repository:
$ git clone https://github.com/its-a-feature/Mythic
This is made to work with docker and docker-compose, so they both need to be installed. If docker is not installed on your ubuntu machine, you can use the ./install_docker_ubuntu.sh script to install it for you.
If you're running on debian, use the ./install_docker_debian.sh instead.
Mythic must be installed on Linux. While macOS supports Docker and Docker-Compose, macOS doesn't handle the shared host networking that Mythic relies on. You can still access the Browser interface from any OS, but the Mythic instance must be installed on Linux
/Mythic/mythic-docker/config.json contains all of the pieces for you to configure for accessing your operator web UI:
{"mythic_admin_user": "mythic_admin","mythic_admin_password": "mythic_password","default_operation_name": "Operation Chimera","listen_port": 7443,"ssl_cert_path": "./app/ssl/mythic-cert.pem","ssl_key_path": "./app/ssl/mythic-ssl.key","allowed_ip_blocks": ["0.0.0.0/0"],"use_ssl": true,"server_header": "nginx 1.2","web_log_size": 1024000,"web_keep_logs": true,"siem_log_name": "","excluded_c2_profiles": [ ],"excluded_payload_types": [ ],"start_documentation_container": true,"documentation_container_port": 8080}
A few important notes here. listen_port will be the port opened on the server where you're running Mythic. The allowed_ip_blocks allow you to restrict access to the login and register pages of Mythic. excluded_c2_profiles and excluded_payload_types allows you to exclude certain docker containers from starting. This is helpful if you know you're not going to use certain payload types or c2 profiles and want to cut down on time/space requirements.
The above configuration does NOT affect the port or SSL information related to your agents or callback information. It's strictly for your operator web UI.
The web_log_size and web_keep_logs refers only to keeping web logs (i.e. web traffic hitting Mythic). If you're wanting to enable SIEM-based logging, set the siem_log_name to anything but an empty string. Mythic will create that file if it doesn't exist, and log to that file. The following things are logged currently:
file_upload (file staged on mythic as part of tasking with the intent to get sent to the agent)file_manual_upload (file staged on mythic as part of a user manually hosting it)file_screenshot (file is a screenshot from the agent)file_download (file is downloaded from agent to mythic)artifact_new (new artifact created - think IOC)eventlog_new (new eventlog message)eventlog_modified (eventlog was modified, like resolving an issue or changing their message)payload_new (new payload created)task_mitre_attack (a task was associated with a new mitre attack technique)task_new (a new task was created)task_completed (a task completed)task_comment (somebody added/removed/edited a comment on a task)credential_new (a new credential was added to the store)credential_modified (a credential was modified)response_new (a new response for the user to see)keylog_new (a new keylog entry)callback_new (new callback registered)
Mythic does SIEM-based logging as JSON data where each entry is as follows:
{"timestamp": "UTC Timestring", "mythic_object": "one of the values from above", "message": JSON of the actual message in question}
To start Mythic, simply run sudo ./start_mythic.sh.
If you came here right from the previous section, your Mythic instance should already be up and running. Check out the next section to confirm that's the case. If at any time you wish to stop Mythic, simply run sudo ./stop_mythic.sh and if you want to start it again run sudo ./start_mythic.sh. If Mythic is currently running and you need to make a change, you can run sudo ./start_mythic.sh again without any issue, that script will automatically stop things and then restart them.
If something seems off, here's a few places to check:
Run
sudo ./status_check.shto give a status update on all of the docker containers. They should all be up and running. If one is exited or has only been up for less than 30 seconds, that container might be your issue.Your output will be similar to the following. Notice how the
mythic_serverdocker container shows a status ofExited? That looks like an issue
Core mythic services: mythic_server, mythic_postgres, mythic_rabbitmqCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES544a64a93894 mythic_rabbitmq "/init.sh" 3 days ago Up 3 days mythic_rabbitmqed9d07847839 mythic_postgres "docker-entrypoint.s…" 3 days ago Up 3 days mythic_postgresa79cec76ee88 mythic_server "./wait-for-postgres…" 4 weeks ago Exited (1) 30 (seconds) ago mythic_serverC2_Profile endpointsCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESd19a3424fc39 http "/Mythic_service/c2_…" 3 days ago Up 3 days httpbb8cca7066d7 dynamichttp "/Mythic_service/c2_…" 3 days ago Up 3 days dynamichttp0ada364906dc chrome-server "/Mythic_service/c2_…" 3 days ago Up 3 days chrome-serverPayload Type EndpointsCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES5d9c4f84eb7d poseidon "/Mythic_service/pay…" 3 days ago Up 3 days poseidon587bc657206f serviceexe "/Mythic_service/pay…" 3 days ago Up 3 days serviceexe
To check the logs of any container, run
sudo ./display_output.sh [container_name]. For example, to see the output of our stopped container, runsudo ./display_output.sh mythic_server. This will help track down if the last thing that happened was an error of some kind.If you don't supply any container names, the script will iterate through all of the containers and dump their output to a file called
display_output.txtthat you can then grep or browse through.
If all of that looks ok, but something still seems off, it's time to check the browser.
If you're seeing "Session Expired, Please Refresh", "Socked errored, please refresh", or "Socket closed, please refresh", then there's an issue with your websocket connections.
First open up the developer tools for your browser and see if there are any errors that might indicate what's wrong. If there's no error though, check the network tab to see if there are any 404 errors.
If that's not the case, make sure you've selected a current operation (more on this in the Quick Usage section). Apfell uses websockets that pull information about your current operation to provide data. If you're not currently in an active operation (indicated at the top of your screen in big letters), then Apfell cannot provide you any data.
Mythic starts every service (web server, database, each payload type, each C2 profile, rabbitmq, documentation) in its own Docker container. As much as possible, these containers leverage common image bases to reduce size, but due to the nature of so many components, there's going to be a decent footprint. For consideration, here's the Docker footprint for a fresh install of Mythic:
its-a-feature@ubuntu:$ sudo docker system dfTYPE TOTAL ACTIVE SIZE RECLAIMABLEImages 15 10 8.274GB 6.266GB (75%)Containers 12 12 2.992MB 0B (0%)Local Volumes 1 0 166B 166B (100%)Build Cache 0 0 0B 0Bits-a-feature@ubuntu:$ sudo docker system df -vImages space usage:REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERSmythic_documentation latest 297df1e2f151 12 minutes ago 48.01MB 48MB 166B 1poseidon latest 2ba62d144c91 12 minutes ago 3.508GB 3.482GB 26.85MB 1leviathan latest 9ca4e9803436 14 minutes ago 1.021GB 922.7MB 98.47MB 1dynamichttp latest 7a17ef432456 16 minutes ago 738.7MB 711.2MB 27.43MB 2apfell_mythic latest 1c7d1ce07f67 16 minutes ago 939.2MB 702.7MB 236.5MB 1apfell_rabbitmq latest f47d738256c3 17 minutes ago 148.8MB 148.8MB 2.414kB 1apfell_postgres latest 66c45a1c2200 17 minutes ago 250.7MB 250.7MB 20.88kB 1itsafeaturemythic/xgolang_payload 0.0.5 5ae6a5e9c5e5 8 days ago 3.482GB 3.482GB 0B 0klakegg/hugo latest 1af18a30400a 3 weeks ago 48MB 48MB 0B 0itsafeaturemythic/python36_c2profile 0.0.2 bb950bf20d86 8 weeks ago 711.2MB 711.2MB 0B 1itsafeaturemythic/python36_payload 0.0.5 3507a2c336a7 2 months ago 922.7MB 922.7MB 0B 1itsafeaturemythic/csharp_payload 0.0.5 4345127d1907 2 months ago 1.619GB 0B 1.619GB 2postgres 9.4 ed5a45034282 6 months ago 250.7MB 250.7MB 0B 0python 3.6-jessie 890456b21ed5 13 months ago 702.7MB 702.7MB 0B 0rabbitmq 3.7.6-management 500d74765467 2 years ago 148.8MB 148.8MB 0B 0Containers space usage:CONTAINER ID IMAGE COMMAND LOCAL VOLUMES SIZE CREATED STATUS NAMES50b9b40d826d mythic_documentation "hugo server" 0 0B 12 minutes ago Up 12 minutes documentation27c9c16a2920 servicewrapper "/Mythic_service/pay…" 0 0B 12 minutes ago Up 12 minutes servicewrapper4bffb5f83a08 poseidon "/Mythic_service/pay…" 0 0B 12 minutes ago Up 12 minutes poseidond8841127ed15 leviathan "/Mythic_service/pay…" 0 478kB 14 minutes ago Up 14 minutes leviathanf4f1d6a2c1fb atlas "/Mythic_service/pay…" 0 0B 14 minutes ago Up 14 minutes atlase3363eec0c23 apfell "/Mythic_service/pay…" 0 478kB 15 minutes ago Up 15 minutes apfella66f3c5acf31 websocket "/Mythic_service/c2_…" 0 505kB 16 minutes ago Up 16 minutes websockete340ed52df59 http "/Mythic_service/c2_…" 0 533kB 16 minutes ago Up 16 minutes httpaa73e22acf9b dynamichttp "/Mythic_service/c2_…" 0 505kB 16 minutes ago Up 16 minutes dynamichttp6ce00c1e4811 apfell_mythic "./wait-for-postgres…" 0 493kB 16 minutes ago Up 16 minutes mythic_server1c6416ebfeae apfell_postgres "docker-entrypoint.s…" 0 63B 16 minutes ago Up 16 minutes mythic_postgres2c6f41370dd9 apfell_rabbitmq "/init.sh" 0 144B 16 minutes ago Up 16 minutes mythic_rabbitmqLocal Volumes space usage:VOLUME NAME LINKS SIZEdocumentation-docker 0 166BBuild cache usage: 0BCACHE ID CACHE TYPE SIZE CREATED LAST USED USAGE SHARED
If you want to save space or if you know you're not going to be using a specific container, add that C2 profile or Payload Type name to the appropriate exclude list in the config.json specified above. That indicates to Mythic to not even build or start that container.
