Installation

Get the code

Pull the code from the official GitHub repository:

$ git clone https://github.com/its-a-feature/Mythic

This is made to work with docker and docker-compose, so they both need to be installed. If docker is not installed on your ubuntu machine, you can use the ./install_docker_ubuntu.sh script to install it for you. If you're running on debian, use the ./install_docker_debian.sh instead.

Mythic must be installed on Linux. While macOS supports Docker and Docker-Compose, macOS doesn't handle the shared host networking that Mythic relies on. You can still access the Browser interface from any OS, but the Mythic instance must be installed on Linux

Configure your installation

/Mythic/mythic-docker/config.json contains all of the pieces for you to configure for accessing your operator web UI:

{
"mythic_admin_user": "mythic_admin",
"mythic_admin_password": "mythic_password",
"default_operation_name": "Operation Chimera",
"listen_port": 7443,
"ssl_cert_path": "./app/ssl/mythic-cert.pem",
"ssl_key_path": "./app/ssl/mythic-ssl.key",
"allowed_ip_blocks": ["0.0.0.0/0"],
"use_ssl": true,
"server_header": "nginx 1.2",
"web_log_size": 1024000,
"web_keep_logs": true,
"siem_log_name": "",
"excluded_c2_profiles": [ ],
"excluded_payload_types": [ ],
"start_documentation_container": true,
"documentation_container_port": 8080
}

A few important notes here. listen_port will be the port opened on the server where you're running Mythic. The allowed_ip_blocks allow you to restrict access to the login and register pages of Mythic. excluded_c2_profiles and excluded_payload_types allows you to exclude certain docker containers from starting. This is helpful if you know you're not going to use certain payload types or c2 profiles and want to cut down on time/space requirements.

The above configuration does NOT affect the port or SSL information related to your agents or callback information. It's strictly for your operator web UI.

Logging

The web_log_size and web_keep_logs refers only to keeping web logs (i.e. web traffic hitting Mythic). If you're wanting to enable SIEM-based logging, set the siem_log_name to anything but an empty string. Mythic will create that file if it doesn't exist, and log to that file. The following things are logged currently:

file_upload (file staged on mythic as part of tasking with the intent to get sent to the agent)
file_manual_upload (file staged on mythic as part of a user manually hosting it)
file_screenshot (file is a screenshot from the agent)
file_download (file is downloaded from agent to mythic)
artifact_new (new artifact created - think IOC)
eventlog_new (new eventlog message)
eventlog_modified (eventlog was modified, like resolving an issue or changing their message)
payload_new (new payload created)
task_mitre_attack (a task was associated with a new mitre attack technique)
task_new (a new task was created)
task_completed (a task completed)
task_comment (somebody added/removed/edited a comment on a task)
credential_new (a new credential was added to the store)
credential_modified (a credential was modified)
response_new (a new response for the user to see)
keylog_new (a new keylog entry)
callback_new (new callback registered)

Mythic does SIEM-based logging as JSON data where each entry is as follows:

{"timestamp": "UTC Timestring", "mythic_object": "one of the values from above", "message": JSON of the actual message in question}

To start Mythic, simply run sudo ./start_mythic.sh.

Start Mythic

If you came here right from the previous section, your Mythic instance should already be up and running. Check out the next section to confirm that's the case. If at any time you wish to stop Mythic, simply run sudo ./stop_mythic.sh and if you want to start it again run sudo ./start_mythic.sh. If Mythic is currently running and you need to make a change, you can run sudo ./start_mythic.sh again without any issue, that script will automatically stop things and then restart them.

Troubleshooting installation and connection

If something seems off, here's a few places to check:

  • Run sudo ./status_check.sh to give a status update on all of the docker containers. They should all be up and running. If one is exited or has only been up for less than 30 seconds, that container might be your issue.

    • Your output will be similar to the following. Notice how the mythic_server docker container shows a status of Exited? That looks like an issue

Core mythic services: mythic_server, mythic_postgres, mythic_rabbitmq
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
544a64a93894 mythic_rabbitmq "/init.sh" 3 days ago Up 3 days mythic_rabbitmq
ed9d07847839 mythic_postgres "docker-entrypoint.s…" 3 days ago Up 3 days mythic_postgres
a79cec76ee88 mythic_server "./wait-for-postgres…" 4 weeks ago Exited (1) 30 (seconds) ago mythic_server
C2_Profile endpoints
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d19a3424fc39 http "/Mythic_service/c2_…" 3 days ago Up 3 days http
bb8cca7066d7 dynamichttp "/Mythic_service/c2_…" 3 days ago Up 3 days dynamichttp
0ada364906dc chrome-server "/Mythic_service/c2_…" 3 days ago Up 3 days chrome-server
Payload Type Endpoints
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d9c4f84eb7d poseidon "/Mythic_service/pay…" 3 days ago Up 3 days poseidon
587bc657206f serviceexe "/Mythic_service/pay…" 3 days ago Up 3 days serviceexe
  • To check the logs of any container, run sudo ./display_output.sh [container_name]. For example, to see the output of our stopped container, run sudo ./display_output.sh mythic_server. This will help track down if the last thing that happened was an error of some kind.

    • If you don't supply any container names, the script will iterate through all of the containers and dump their output to a file called display_output.txt that you can then grep or browse through.

  • If all of that looks ok, but something still seems off, it's time to check the browser.

    • If you're seeing "Session Expired, Please Refresh", "Socked errored, please refresh", or "Socket closed, please refresh", then there's an issue with your websocket connections.

    • First open up the developer tools for your browser and see if there are any errors that might indicate what's wrong. If there's no error though, check the network tab to see if there are any 404 errors.

    • If that's not the case, make sure you've selected a current operation (more on this in the Quick Usage section). Apfell uses websockets that pull information about your current operation to provide data. If you're not currently in an active operation (indicated at the top of your screen in big letters), then Apfell cannot provide you any data.

Container Sizes

Mythic starts every service (web server, database, each payload type, each C2 profile, rabbitmq, documentation) in its own Docker container. As much as possible, these containers leverage common image bases to reduce size, but due to the nature of so many components, there's going to be a decent footprint. For consideration, here's the Docker footprint for a fresh install of Mythic:

its-a-feature@ubuntu:$ sudo docker system df
TYPE TOTAL ACTIVE SIZE RECLAIMABLE
Images 15 10 8.274GB 6.266GB (75%)
Containers 12 12 2.992MB 0B (0%)
Local Volumes 1 0 166B 166B (100%)
Build Cache 0 0 0B 0B
its-a-feature@ubuntu:$ sudo docker system df -v
Images space usage:
REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS
mythic_documentation latest 297df1e2f151 12 minutes ago 48.01MB 48MB 166B 1
poseidon latest 2ba62d144c91 12 minutes ago 3.508GB 3.482GB 26.85MB 1
leviathan latest 9ca4e9803436 14 minutes ago 1.021GB 922.7MB 98.47MB 1
dynamichttp latest 7a17ef432456 16 minutes ago 738.7MB 711.2MB 27.43MB 2
apfell_mythic latest 1c7d1ce07f67 16 minutes ago 939.2MB 702.7MB 236.5MB 1
apfell_rabbitmq latest f47d738256c3 17 minutes ago 148.8MB 148.8MB 2.414kB 1
apfell_postgres latest 66c45a1c2200 17 minutes ago 250.7MB 250.7MB 20.88kB 1
itsafeaturemythic/xgolang_payload 0.0.5 5ae6a5e9c5e5 8 days ago 3.482GB 3.482GB 0B 0
klakegg/hugo latest 1af18a30400a 3 weeks ago 48MB 48MB 0B 0
itsafeaturemythic/python36_c2profile 0.0.2 bb950bf20d86 8 weeks ago 711.2MB 711.2MB 0B 1
itsafeaturemythic/python36_payload 0.0.5 3507a2c336a7 2 months ago 922.7MB 922.7MB 0B 1
itsafeaturemythic/csharp_payload 0.0.5 4345127d1907 2 months ago 1.619GB 0B 1.619GB 2
postgres 9.4 ed5a45034282 6 months ago 250.7MB 250.7MB 0B 0
python 3.6-jessie 890456b21ed5 13 months ago 702.7MB 702.7MB 0B 0
rabbitmq 3.7.6-management 500d74765467 2 years ago 148.8MB 148.8MB 0B 0
Containers space usage:
CONTAINER ID IMAGE COMMAND LOCAL VOLUMES SIZE CREATED STATUS NAMES
50b9b40d826d mythic_documentation "hugo server" 0 0B 12 minutes ago Up 12 minutes documentation
27c9c16a2920 servicewrapper "/Mythic_service/pay…" 0 0B 12 minutes ago Up 12 minutes servicewrapper
4bffb5f83a08 poseidon "/Mythic_service/pay…" 0 0B 12 minutes ago Up 12 minutes poseidon
d8841127ed15 leviathan "/Mythic_service/pay…" 0 478kB 14 minutes ago Up 14 minutes leviathan
f4f1d6a2c1fb atlas "/Mythic_service/pay…" 0 0B 14 minutes ago Up 14 minutes atlas
e3363eec0c23 apfell "/Mythic_service/pay…" 0 478kB 15 minutes ago Up 15 minutes apfell
a66f3c5acf31 websocket "/Mythic_service/c2_…" 0 505kB 16 minutes ago Up 16 minutes websocket
e340ed52df59 http "/Mythic_service/c2_…" 0 533kB 16 minutes ago Up 16 minutes http
aa73e22acf9b dynamichttp "/Mythic_service/c2_…" 0 505kB 16 minutes ago Up 16 minutes dynamichttp
6ce00c1e4811 apfell_mythic "./wait-for-postgres…" 0 493kB 16 minutes ago Up 16 minutes mythic_server
1c6416ebfeae apfell_postgres "docker-entrypoint.s…" 0 63B 16 minutes ago Up 16 minutes mythic_postgres
2c6f41370dd9 apfell_rabbitmq "/init.sh" 0 144B 16 minutes ago Up 16 minutes mythic_rabbitmq
Local Volumes space usage:
VOLUME NAME LINKS SIZE
documentation-docker 0 166B
Build cache usage: 0B
CACHE ID CACHE TYPE SIZE CREATED LAST USED USAGE SHARED

If you want to save space or if you know you're not going to be using a specific container, add that C2 profile or Payload Type name to the appropriate exclude list in the config.json specified above. That indicates to Mythic to not even build or start that container.