Pull the code from the official GitHub repository:
$ git clone https://github.com/its-a-feature/Mythic
This is made to work with docker and docker-compose, so they both need to be installed. If docker is not installed on your ubuntu machine, you can use the
./install_docker_ubuntu.shscript to install it for you. If you're running on debian, use the
You need to have Docker server version
20.10.22or above (latest version is
23.0.1) for Mythic and the docker containers to work properly. If you do
sudo apt upgradeand
sudo apt install docker-compose-pluginon a new version of Ubuntu or Debian, then you should be good. You can check your version with
sudo docker version.
Mythic must be installed on Linux. While macOS supports Docker and Docker-Compose, macOS doesn't handle the shared host networking that Mythic relies on for C2 containers. You can still access the Browser interface from any OS, but the Mythic instance must be installed on Linux
It's recommended to run Mythic on a VM with at least 2CPU and 4GB Ram.
All configuration is done via the
mythic-clibinary. However, to help with GitHub sizes, the
mythic-clibinary is no longer distributed with the main Mythic repository. Instead, you will need to make the binary via
sudo makefrom the main Mythic folder. This will create the build container for the mythic-cli, build the binary, and copy it into your main Mythic folder automatically. From there on, you can use the
mythic-clibinary like normal.
Mythic configuration is all done via
Mythic/.env, which means for your configuration you can either add/edit values there or add them to your environment.
Mythic/.env doesn't exist by default. You can either let Mythic create it for you when you run
sudo ./mythic-cli startfor the first time or you can create it ahead of time with just the variables you want to configure.
If you need to run
mythic-clias root for Docker and you set your environment variables as a user, be sure to run
sudo -E ./mythic-cliso that your environment variables are carried over into your sudo call. The following are the default values that Mythic will generate on first execution of
sudo ./mythic-cli startunless overridden:
A few important notes here:
MYTHIC_SERVER_PORTwill be the port opened on the server where you're running Mythic. The
NGINX_PORTis the one that's opened by Nginx and acts as a reverse proxy to all other services. The
NGINX_PORTis the one you'll connect to for your web user interface and should be the only port you need to expose externally (unless you prefer to SSH port forward your web UI port).
allowed_ip_blocksallow you to restrict access to the
loginpage of Mythic. This should be set as a series of netblocks with NO host bits set - i.e.
*_BIND_LOCALHOST_ONLY- these settings determine if the associated container binds the port to
0.0.0.0:port. These are all set to true (except for the nginx container) by default so that you're not exposing these services externally.
If you want to have a services (agent, c2 profile, etc) on a host other than where the Mythic server is running, then you need to make sure that RABBITMQ_BIND_LOCALHOST_ONLY and MYTHIC_SERVER_BIND_LOCALHOST_ONLY are both set to
falseso that your remote services can access Mythic.
The above configuration does NOT affect the port or SSL information related to your agents or callback information. It's strictly for your operator web UI.
mythic_servercontainer starts for the first time, it goes through an initialization step where it uses the password and username from
Mythic/.envto create the
mythic_admin_useruser. Once the database exists, the
mythic_servercontainer no longer uses that value.
mythic-clibinary is used to start/stop/configure/install components of Mythic. You can see the help menu at any time with
Mythic CLI is a command line interface for managing the Mythic
application and associated containers and services. Commands are grouped by their use.
add Add local service folder to docker compose
build Build/rebuild a specific container
config Display or adjust the configuration
database interact with the database
help Help about any command
install install services from GitHub or local folders
logs Get docker logs from a running service
mythic_sync work to mythic_sync install/uninstall
rabbitmq interact with the rabbitmq
remove Remove local service folder from docker compose
restart Start all of Mythic
start Start Mythic containers
status Get current Mythic container status
stop Stop all of Mythic
test test mythic service connections
uninstall uninstall services locally and remove them from disk
-h, --help help for mythic-cli
Use "mythic-cli [command] --help" for more information about a command.
By default, Mythic does not come with any Payload Types (agents) or C2 Profiles. This is for a variety of reasons, but one of the big ones being time/space requirements - all Payload Types and C2 Profiles have their own Docker containers, and as such, collectively they could eat up a lot of space on disk. Additionally, having them split out into separate repositories makes it much easier to keep them updated.
To install a Payload Type or C2 Profile, use the
sudo ./mythic-cli install github <url>
If you have an agent already installed, but want to update it, you can do the same command again. If you supply a
-fat the end, then Mythic will automatically overwrite the current version that's installed, otherwise you'll be prompted for each piece.
You won't be able to create any payloads within Mythic until you have at least one Agent and a matching C2 Profile installed
If you're wanting to enable SIEM-based logging, install the
basic_loggervia the mythic cli
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/basic_logger. This profile listens to the
emit_logRabbitMQ queue and allows you to configure how you want to save/modify the logs. By default they just go to stdout, but you can configure it to write out to files or even submit the events to your own SIEM.
file_upload (file staged on mythic as part of tasking with the intent to get sent to the agent)
file_manual_upload (file staged on mythic as part of a user manually hosting it)
file_screenshot (file is a screenshot from the agent)
file_download (file is downloaded from agent to mythic)
artifact_new (new artifact created - think IOC)
eventlog_new (new eventlog message)
eventlog_modified (eventlog was modified, like resolving an issue or changing their message)
payload_new (new payload created)
task_mitre_attack (a task was associated with a new mitre attack technique)
task_new (a new task was created)
task_completed (a task completed)
task_comment (somebody added/removed/edited a comment on a task)
credential_new (a new credential was added to the store)
credential_modified (a credential was modified)
response_new (a new response for the user to see)
keylog_new (a new keylog entry)
callback_new (new callback registered)
If you came here right from the previous section, your Mythic instance should already be up and running. Check out the next section to confirm that's the case. If at any time you wish to stop Mythic, simply run
sudo ./mythic-cli stopand if you want to start it again run
sudo ./mythic-cli start. If Mythic is currently running and you need to make a change, you can run
sudo ./mythic-cli restartagain without any issue, that command will automatically stop things and then restart them.
The default username is
mythic_admin, but that user's password is randomly generated when Mythic is started for the first time. You can find this random value in the
Mythic/.envfile. Once Mythic has started at least once, this value is no longer needed, so you can edit or remove this entry from the
Mythic starts with NO C2 Profiles or Agents pre-installed. Due to size issues and the growing number of agents, this isn't feasible. Instead. use the
./mythic-cli install github <url> [branch] [-f]command to install an agent from a GitHub (or GitLab) repository.
If something seems off, here's a few places to check:
sudo ./mythic-cli statusto give a status update on all of the docker containers. They should all be up and running. If one is exited or has only been up for less than 30 seconds, that container might be your issue. All of the Mythic services will also report back a health check which can be useful to determine if a certain container is having issues. The status command gives a lot of information about what services are running, on which ports, and if they're externally accessible or not.
MYTHIC SERVICE WEB ADDRESS BOUND LOCALLY
Nginx (Mythic Web UI) https://127.0.0.1:7443 false
Mythic Backend Server http://127.0.0.1:17443 false
Hasura GraphQL Console http://127.0.0.1:8080 true
Jupyter Console http://127.0.0.1:8888 true
Internal Documentation http://127.0.0.1:8090 true
ADDITIONAL SERVICES IP PORT BOUND LOCALLY
Postgres Database 127.0.0.1 5432 false
React Server 192.168.53.152 3000 true
RabbitMQ 127.0.0.1 5672 false
Mythic Main Services
CONTAINER NAME STATE STATUS PORTS
mythic_documentation running Up 38 seconds (healthy) 8090/tcp -> 127.0.0.1:8090
mythic_graphql running Up 36 seconds (healthy) 8080/tcp -> 127.0.0.1:8080
mythic_jupyter running Up 41 seconds (healthy) 8888/tcp -> 127.0.0.1:8888
mythic_nginx running Up 35 seconds (healthy) 7443/tcp -> :::7443, 7443
mythic_postgres running Up 39 seconds (healthy) 5432/tcp -> :::5432, 5432
mythic_rabbitmq running Up 40 seconds (health: starting) 5672/tcp -> :::5672, 5672
mythic_server running Up 37 seconds (health: starting) 7000/tcp -> :::7000, 7001/tcp -> :::7001, 7002/tcp -> :::7002, 7003/tcp -> :::7003, 7004/tcp -> :::7004, 7005/tcp -> :::7005, 7006/tcp -> :::7006, 7007/tcp -> :::7007, 7008/tcp -> :::7008, 7009/tcp -> :::7009, 7010/tcp -> :::7010, 17443/tcp -> :::17443, 17444/tcp -> :::17444, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7007, 7008, 7009, 7010, 17443, 17444
CONTAINER NAME STATE STATUS PORTS
no_translator running Up 43 seconds
service_wrapper running Up 42 seconds
- To check the logs of any container, run
sudo ./mythic-cli logs [container_name]. For example, to see the output of mythic_server, run
sudo ./mythic-cli logs mythic_server. This will help track down if the last thing that happened was an error of some kind.
- If all of that looks ok, but something still seems off, it's time to check the browser.
- First open up the developer tools for your browser and see if there are any errors that might indicate what's wrong. If there's no error though, check the network tab to see if there are any 404 errors.
- If that's not the case, make sure you've selected a current operation (more on this in the Quick Usage section). Mythic uses websockets that pull information about your current operation to provide data. If you're not currently in an active operation (indicated at the top of your screen in big letters), then Mythic cannot provide you any data.
Mythic starts every service (web server, database, each payload type, each C2 profile, rabbitmq, documentation) in its own Docker container. As much as possible, these containers leverage common image bases to reduce size, but due to the nature of so many components, there's going to be a decent footprint. For consideration, here's the Docker footprint for a fresh install of Mythic:
its-a-feature@ubuntu:$ sudo docker system df
TYPE TOTAL ACTIVE SIZE RECLAIMABLE
Images 9 9 9.62GB 6.263GB (65%)
Containers 9 9 399.6kB 0B (0%)
Local Volumes 17 0 2.964MB 2.964MB (100%)
Build Cache 0 0 0B 0B
its-a-feature@ubuntu:$ sudo docker system df -v
Images space usage:
REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
mythic_server latest b11659fb912a 4 minutes ago 6.889GB 6.256GB 632.5MB 1
no_translator latest b9e63f1a0097 14 hours ago 6.58GB 6.256GB 323.5MB 1
service_wrapper latest 7c508916bc3e 14 hours ago 6.581GB 6.256GB 324.5MB 1
mythic_jupyter latest 96255e6737c4 18 hours ago 996.6MB 0B 996.6MB 1
mythic_postgres latest 9a351f9bc9ef 18 hours ago 243.1MB 7.05MB 236.1MB 1
mythic_documentation latest ed947afb8c27 18 hours ago 54.36MB 0B 54.36MB 1
mythic_graphql latest 820890c9b0ad 2 weeks ago 621.8MB 0B 621.8MB 1
mythic_nginx latest da7a4011c460 3 weeks ago 40.72MB 7.05MB 33.67MB 1
mythic_rabbitmq latest 07d9eda5cc97 19 months ago 133.3MB 0B 133.3MB 1
Containers space usage:
CONTAINER ID IMAGE COMMAND LOCAL VOLUMES SIZE CREATED STATUS NAMES
08e5869c4b8a mythic_postgres "docker-entrypoint.s…" 0 63B 4 minutes ago Up 3 minutes (healthy) mythic_postgres
1bc0306aa920 mythic_graphql "docker-entrypoint.s…" 0 378kB 4 minutes ago Up 3 minutes (healthy) mythic_graphql
41e982d38a14 mythic_nginx "/docker-entrypoint.…" 0 2B 4 minutes ago Up 3 minutes (healthy) mythic_nginx
a0f1df25e66b mythic_documentation "hugo server -p 8090" 0 0B 4 minutes ago Up 3 minutes (healthy) mythic_documentation
a98ba7b3aa64 mythic_jupyter "tini -g -- start.sh…" 0 21.2kB 4 minutes ago Up 4 minutes (healthy) mythic_jupyter
9d92d8397a87 mythic_rabbitmq "docker-entrypoint.s…" 0 756B 4 minutes ago Up 3 minutes (healthy) mythic_rabbitmq
871405214da0 service_wrapper "/bin/sh -c 'make ru…" 0 0B 4 minutes ago Up 4 minutes service_wrapper
3f7a4f72a82d no_translator "/bin/sh -c 'make ru…" 0 0B 4 minutes ago Up 4 minutes no_translator
79295b4bc031 mythic_server "/bin/bash -c 'cp /m…" 0 0B 4 minutes ago Up 3 minutes (healthy) mythic_server
Local Volumes space usage:
VOLUME NAME LINKS SIZE
1bdf5e715217e03b9e10e33b7c7e55e1ddb8898c9da53da5fc42b72c77e05ea3 0 0B
473660a24b907ce4194806b0584c236964d2b0fe0e8690057d470eaee8fcbe97 0 0B
jupyter 0 2.911MB
12f257df33085912785808aa5b1e4c29910ae4ddcad498b933763668263f770d 0 93B
780ee9b1d726ac35d5ef0d2ff19f155d0e2bff437f522d6fbe984499a27c6202 0 0B
9de90d6f8308c2cc9c19043373b4f9f45d000b7ecea8b3682df224e8f9a79ada 0 0B
d0776a4a8e535a9d35f444413be020d51f0cdfd473c773c5127b5d31d95bdb61 0 0B
dbcfcf81791e768acb83c811de9d3e57172c727f83f92f8b4d7f6de4a39e84d1 0 52.77kB
documentation-docker 0 166B
0cd941f7e6b4b25ab1e13f1d575f2f1caaacb4664eaa9d6c404ad2347554a7fb 0 0B
cefb153314333ecb272945798c1225a5545159ae41aa92aeaa912fe017882ba8 0 93B
9c870d0f01bcbc303eb6fbf4a5a1e1bdd2c70854c02c737bb0542c5f56c0c040 0 0B
cfaacc90b7b34bdce1ed35481cab48540e6f58fd948b4bc59c5a18ecd87e00c9 0 0B
fd69883c79fe52f5108558f84b8989943b47406ac96de68c555ac7cbebb1a66b 0 0B
fe82f2f0c818cbe678db9015aebaae811fcb88e55c5039d3b8d8e82034c1b18a 0 93B
mythic 0 88B
1c181b8dbadf04787e4e3faeab9b7a863d3c78a462068e9165ce4da258c31564 0 0B
Build cache usage: 0B
If you want to save space or if you know you're not going to be using a specific container, you can remove that container from docker-compose with
sudo ./mythic-cli remove [container name]