Hooking Features

All of the following features describe information that can be included in responses. These sections describe some additional JSON formats and data that can be used to have your responses be tracked within Mythic or cause the creation of additional elements within Mythic (such as files, credentials, artifacts, etc).

You can hook multiple features in a single response because they're all unique. To display something to the user, it should be in the user_outputfield, such as:

{
    "user_output": "Still working",
}

or even
{
    "user_output": "{\"key": \"nested json for user as string\"}"
}

The various styles of output are described in the follow-on pages:

Reserved Keywords

When we talk about Hooking Features in the Action: post_response message of an agent, we're really talking about a specific set of Dictionary key value pairs that have special meaning. All responses from the agent to the Mythic server already have to be in a structured format. Each of the above sections goes into what their reserved keywords mean, but a total list is found below:

  • total_chunks - integer - used with file uploads/downloads for chunking

  • chunk_num - integer - use with file uploads/downloads for chunking

  • chunk_size - integer - used with file uploads/downloads for chunking

  • task_id - string - UUID associated with tasks

  • full_path - string - used with file uploads/downloads to report back the full path of the file (ex: test.txt is meaningless, full_path would report back C:\Users\username\Desktop\test.txt)

  • user_output - string - used with any command to display information back to the user

  • completed - boolean - used with any command to indicate that the task is done (switches to the green completed icon)

  • status - string - used to indicate that a command is not only done, but has encountered an error (value would be "error")

  • file_id - string (uuid to be specific) - used with file uploads/downloads and any command wishing to utilize chunking for files

  • artifacts - array - an array of artifact objects that report back artifacts created on disk/on the network

  • credentials - array - an array of credential objects that report back credentials gathered from the host

  • window_title - string - the title of the window associated with keystrokes for a keylogger

  • user - string - the user associated with keystrokes for a keylogger

  • keystrokes - string - the keystrokes for a keylogger

  • edges - array - an array of P2P linking/unlinking information

  • commands - array - an array of command updating information (telling mythic that the callback loaded/unloaded commands)

  • file_browser - dictionary - a dictionary of information about the file/folder with potentially a nested array to give details about all of the files within a folder

  • process_response - this is passed to your command's python file for processing in the process_response function.

PayloadType Development Reference

As you're developing an agent to hook into these features, it's helpful to know where to look if you have questions. All of the Task, Command, and Parameter definitions/functions available to you are defined in the mythic_payloadtype_container PyPi Container, MythicCommandBase.py, which is hosted on the MythicMeta Organization on GitHub. Information about the Payload Type itself (BuildResponse, SupportedOS, BuildParameters, PayloadType, etc) can be found in the PayloadBuilder.py file in the same PyPi repo.

Last updated