All C2 profiles are backed by a Docker container or intermediary layer of some sort.

What's the goal of the container?

What do the C2 docker containers do? Why are things broken out this way? In order to make things more modular within Mythic, most services are broken out into their own containers. When it comes to C2 profiles, they simply serve as an intermediary layer that translates between your special sauce C2 mechanism and the normal RESTful interface that Mythic uses. This allows you to create any number of completely disjoint C2 types without having to modify anything in the main Mythic codebase.

Container Components

There are a few things needed to make a C2 container. For this example, let's assume the name of the C2 profile is ABC:

1. Make the following folder structure by copying Example_C2_Profile as ABC under /Mythic/C2_Profiles/. The result should look like:

2. Within c2_code should be a file called server (this is what will be executed when you select to start the c2 profile. If you want this to pick up something from the environment, be sure to put it as a #! at the top. For example, the default containers leverage python3, so they have #! /usr/bin/env python3 at the top. This file is always executed via bash, so as a sub-process like ./server

3. Within c2_code should be a file called config.json, this is what the operator is able to edit through the UI and should contain all of the configuration components. The one piece that doesn't need to be here are if the operator needs to add additional files (like SSL certs). There are too many security concerns and processes that go into arbitrary file upload currently that make this process require you to ssh into the host where Mythic is running and put the files there manually. This might change in the future, but that's the current expectation.

4. Within ABC there should be a Dockerfile that sets up your environment. In most cases, you'll simply start it off with:

From itsafeaturemythic/python36_c2profile:0.0.2

But you can customize this as well

5. Within the mythic folder are all the basic files for processing tasking. The rabbitmq_config.json file is fine being left alone if you're doing a local Docker container. If you're turning another computer into your C2 container, similar to what you can do with Payload Types, then this will need to be modified in the same way as Payload Type Development.

6. Within the mythic folder is the c2_functions folder. This is analogous to the agent_functionsfolder within Payload Types. This is where you'll put your Python files that define the C2 Profile metadata and establish any RPC functions you want to expose to other containers. This technically allows you to chain C2 containers together for RPC calls.

7. You can now start the C2 profile container from the command line via sudo ./start_c2_profiles.sh ABC. This will start the container and have it sending heartbeats to the main Mythic instance. If you already have the C2 profile registered in the UI, you'll now see the docker container light turn green.

At this point though, the container is checking in and can be tasked, but there's no inner logic that's going on to actually translate anything for a C2 profile.

C2Profile Class

Within the /Mythic/C2_Profiles/ABC/mythic/c2_functions folder is a python file (name doesn't matter, typically matches the c2 profile name though) with a new class that extends the base C2 Profile class. An example would be:

class HTTP(C2Profile):
    name = "HTTP"
    description = "Default RESTful C2 channel"
    author = "@its_a_feature_"
    is_p2p = False
    is_server_routed = False
    sample_server = ""
    sample_client = "When setting parameters:\ncallback_host should be 'http:\/\/domain.com', 'https:\/\/domain.com'.\n'Base64 32byte AES Key' is auto-generated per operation and automatically filled in if the key name is 'AESPSK'. This value must be set for static pre-shared key comms or encrypted key  exchange comms. You can change it to be any base64 of 32 bytes.\nBy default, the payloads will do an encrypted key exchange of some sort"
    notes = """The 'apfell' agent cannot connect to self-signed certs, so keep that in mind when standing up infrastructure. 
This container can be configured and started if you don't want to connect directly to the Mythic server. Otherwise, this container simply acts as a slightly smarter socat redirector"""
    parameters = [
        C2ProfileParameter(name="callback_port", description="Callback Port", default_value="80", verifier_regex="^[0-9]+$"),
        C2ProfileParameter(name="killdate", description="Kill Date", default_value="yyyy-mm-dd", required=False),
        C2ProfileParameter(name="encrypted_exchange_check", description="Perform Key Exchange", choices=["T", "F"], parameter_type=ParameterType.ChooseOne),
        C2ProfileParameter(name="callback_jitter", description="Callback Jitter in percent", default_value="23", verifier_regex="^[0-9]+$"),
        C2ProfileParameter(name="domain_front", description="Host header value for domain fronting", default_value=""),
        C2ProfileParameter(name="USER_AGENT", description="User Agent", default_value="Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"),
        C2ProfileParameter(name="AESPSK", description="Base64 of a 32B AES Key", default_value=""),
        C2ProfileParameter(name="callback_host", description="Callback Host", default_value="https://domain.com", verifier_regex="^(http|https):\/\/[a-zA-Z0-9]+"),
        C2ProfileParameter(name="callback_interval", description="Callback Interval in seconds", default_value="10", verifier_regex="^[0-9]+$")
    ]

This is a small class that just defines the metadata aspects of the C2 profile. The main piece here is the definition of the parameters array. Each element here is a C2ProfileParameter class instance with a few possible arguments:

class C2ProfileParameter:
    def __init__(self,
                 name: str,
                 description: str,
                 default_value: str = "",
                 randomize: bool = False,
                 format_string: str = "",
                 parameter_type: ParameterType = ParameterType.String,
                 required: bool = True,
                 verifier_regex: str = "",
                 choices: [str] = None):
        self.name = name
        self.description = description
        self.randomize = randomize
        self.format_string = format_string
        self.parameter_type = parameter_type
        self.required = required
        self.verifier_regex = verifier_regex
        self.choices = choices
        if self.parameter_type == ParameterType.String:
            self.default_value = default_value
        elif choices is not None:
            self.default_value = "\n".join(choices)