Mythic Documentation
Search…
Version 2.3
Mythic
Operators
Installation
Internal Documentation
Quick Usage
Operational Pieces
MITRE ATT&CK
Operations
Analytics
Browser Scripts
Active Callbacks
Files
Search
File Browser
Socks Proxy
Credentials
Comments
Tags
All Callbacks
Split Callbacks
Screenshots
Event Feed
Task Feed
API Tokens
Message Flow
Understanding Commands
Payload Types
C2 Profiles
Reporting
Scripting
Presentations / Webinars
Common Errors
Customizing
Hooking Features
Payload Type Development
C2 Related Development
Common Questions and Answers
FAQ / Troubleshooting Tips
Change Log
Next Release
Tip of the Week
Updating
Mythic 2.1 -> 2.2 Updates
Mythic 2.2 -> 2.3 Updates
Powered By GitBook
MITRE ATT&CK

What is it?

MITRE ATT&CK (https://attack.mitre.org/) is an amazing knowledge base of adversary techniques.
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

Where is it?

This is in development to bring into the new user interface. This is still tracked by the back-end and available via reporting, but the ATT&CK matrix itself still needs to be ported over to the new React interface.

How does this Task mapping happen?

Commands can be automatically tagged with MITRE ATT&CK Techniques (this is what populates the "Commands by ATT&CK" output). To locate this, you just need to look at the associated python files for each command:
/Mythic/Payload_Types/[agent name]/mythic/agent_functions[cmd_name].py
In addition to this file defining the general properties of the command (such as parameters, description, help information, etc). There's a field called attackmapping that takes an array of MITRE's T# values. For example, looking at the apfell agent's download command:
1
class DownloadCommand(CommandBase):
2
cmd = "download"
3
needs_admin = False
4
help_cmd = "download {path to remote file}"
5
description = "Download a file from the victim machine to the Mythic server in chunks (no need for quotes in the path)."
6
version = 1
7
author = "@its_a_feature_"
8
parameters = []
9
attackmapping = ["T1020", "T1030", "T1041"]
10
argument_class = DownloadArguments
11
browser_script = BrowserScript(script_name="download", author="@its_a_feature_")
Copied!
When this command syncs to the Mythic server, those T numbers are stored and used to populate the ATT&CK Matrix. When you issue this download command, Mythic does a lookup to see if there's any MITRE ATT&CK associations with the command, and if there are, Mythic creates entries for the "Tasks by ATT&CK" mappings. This is why you're able to see the exact command associated.

How do I update this to add/remove mappings?

As long as you're keeping with the old MITRE ATT&CK mappings, simply add your T# to the list like shown above, then run sudo ./mythic-cli payload start [agent name]. That'll restart the agent's container and trigger a re-sync of information.

MITRE Added Sub-Techniques, where are they?

Good point. The current Mythic instance doesn't support the new sub technique view or mapping scheme. It's on the roadmap to incorporate now that MITRE finalized the structure.
Previous
Operational Pieces
Next
Operations
Last modified 6mo ago
Copy link
Edit on GitHub
Contents
What is it?
Where is it?
How does this Task mapping happen?
How do I update this to add/remove mappings?
MITRE Added Sub-Techniques, where are they?