All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Updated the login / refresh process to return the current UTC timestamp
- this is used in the UI to try to prevent clock skew on callback times
- Updated MythicRPCCallbackSearch to specify a list of payload types
- Updated MythicRPCCallbackAddCommand and MythicRPCCallbackRemoveCommand to take in a list of callback ids
- Added an optional flag for payloads syncing to not retrigger the container's on_start functionality
- Fixed an issue where dynamic query functions for command augmentation commands would go to the base agent instead of the right augmentation container
- Updated the processing for agent messages to minimize memory bloat
- Updated file download process to cache filemeta information and open file descriptors to minimize disk/database access
- Updated agent response processing to cache task data for one update instead of per-response
- Updated MythicRPCResponseCreate to also touch the timestamp of the corresponding task to update the UI streaming
- Updated the command_augment injection process to use suggested_commands as well as builtin commands
- one of these two attributes needs to be set to true on the command augment's command for it to be automatically injected into new callbacks
- this is in conjunction with matching OS requirements and matching the command augment's supported payload types (if specified)
- Added more functionality to invite links
- you can now specify a specific operation and role to assign the new operator to
- you can now specify (and change) the maximum number of usages that the invite link has
- Updated mythic-cli to properly pass in the environment's mythic_server_allow_invite_links setting
- Updated the automated payload creation process to associate a task_id with the payload
- Execute a container's OnStart method after a file has been removed/edited/created via the UI
- Added new parameter to the create_go_tasking response, ReprocessAtNewCommandPayloadType
- this allows you to set the response.CommandName to some other command and response.ReprocessAtNewCommandPayloadType to the same or different payload type
- execution will then pass to that payload type's create_go_tasking for the new
CommandName
. - This allows execution chains to happen for processing
- Added two more parameters to the MythicRPCCallbackAddCommand and MythicRPCCallbackRemoveCommand functions
- AgentCallbackID - allows you to add to callback based on AgentCallbackID (UUID) instead of by TaskID
- PayloadType - allows you to specify the payload type associated with the commands if they different than the payload type for the callback itself
- This is helpful for command augment containers that want to register additional augment commands
- Using the UI to add/remove/update files in a container will re-rigger the container's onStart function
- This allows containers to reprocess data as needed if it changes on disk
- Updated how file hosting works for C2 profiles
- When syncing to Mythic, C2 profiles get updated file hosting based on existing FileHosted tags in Mythic
- When stopping file hosting, Mythic ensures that the C2 profile successfully processed the request before updating the corresponding Tag
- Fixed a bug with onStart messages getting the wrong value for temporary APITokens
- Increased the timeouts for gRPC messages from 1s to 10s
- Added a new field to file browser responses,
set_as_user_output
(bool) to indicate that this structured data should be turned into JSON and set as user_output data by Mythic- This allows agents to send file browser data once, but get it counted for both the file browser and user_output
- Added endpoints to leverage/set user preferences
- Payload Search wasn't properly filtering on filename or description
- Added an update to make sure that the payload is not deleted and the build phase was a success too
- Fixed an issue where bot accounts were considered as operators for opsec checks
- Fixed an issue where some Numbers were getting saved as scientific notation floats
- Temporary update where Wrappers can identify payloads to wrap, not just payloads identifying the wrappers
- This currently is only additive
- Updated the file download process to only add to the file browser if data is not a screenshot
- Updated the
update_deleted
code for process listings to not filter on callback, but on callback groups- this should fix a bug where processes weren't getting marked as deleted even though they should be
- Updated the file delete call to invalidate existing cached info to prevent new callbacks
- Updated file uploads to better track the same file uploads across multiple callbacks
- Updated file download message for files hosted through C2 Profiles to be more descriptive
- Added support for operation banner_text and banner_color
- Reworked C2 Profile status updates so they can be more async and C2 profiles can opt for their own restarts
- Removed unnecessary C2 Profile restarts when checking configurations and building payloads
- C2 Profile Functions can now set a field for RestartInternalServer to ask Mythic to restart it for them
- Updated payload build to go on in background instead of blocking build API call
- Updated CommandAugment commands to only autoload builtin and suggested commands to new callbacks
- Added Username/Password auth options for SOCKS ports
- Added support for UDP Associate
- Agents need to inspect first packet for new server_id to see if it's \x00\x00 (UDP) or \x05 (TCP)
- Updated the proxy stop through the UI to be more precise instead of stopping all proxies based on callback id, port, and port type
- It didn't account for variations in remote ip/port combinations
- Added some checks for port byte tracking max sizes and file max sizes to not hit postgres limits
- Added a missing struct tag for GraphEdges that was breaking the MythicRPCCallbackGraphEdgeSearch call
- Updated callback last checkin time update process to not background jobs, hopefully preventing deadlock in some situations
- Changed the order of initializing the database so that migrations happen before initializing operators/operations
- Added more verbose error messages on connections to include user agent and full URL + Query paths
- Requires latest
http
andwebsocket
profiles to forward the necessary headers
- Requires latest
- Added more context for GraphQL queries used by APITokens/Scripting to the event log
- Fixed a bug with exporting saved c2 profile instances that would then break imports
- Updated some of the logging for bad messages to be clearer
- Added new tag for FileHosted to indicate and track that a file was hosted through a C2 Profile
- Updated the file download process to check if there's an alert notification requested as part of FileHosting and sends the alert
- Updated MythicRPCCallbackEncrypt and MythicRPCCallbackDecrypt to support Payload/Staging UUIDs and C2Profile information
- Updated file downloads so that you can send the first chunk along with the file registration to cut down on a round trip
- along with
total_chunks
you can sendchunk_data
andchunk_num
like normal for the first chunk
- along with
- Fixed a bug in file search that wouldn't return results if you didn't specify a limit
- Fixed the file search to better account for search limits and workflow files
- Updated the processing step output fields to allow more flexibility
- Fixed a bug where all callbacks would have their last checkin reset when restarting Mythic
- Fixed an issue where sometimes the 'success' flag for file browser objects would get reset
- Added additional checks for eventing
- Updated the delegates responses to get added without the get_delegate_tasking check
- Updated the delegate checks for socks/rpfwd/interactive messages to only send delegates if there's data
- Updated interactive tasking to set processed and processing timestamps more consistently
- Updated file download processing to allow -1 total chunks so agents with unknown chunks can start downloads
- Added a new limit_credentials_by_type option to Command Parameters to reduce noise in the UI when using CredentialJson parameter types
- fixed a bug where updating timestamp of linked agents wouldn't unhide it
- Added context to filePreview graphql queries
- Updated the last checkin time for linked agents to match that of the egress agent
- this includes matching "Streaming Now" displays
- Updated the login function to return the user's utc time preference
- Added button to show/hide deleted consuming containers
- Shortened the dial time for rpfwd connections to 5s instead of 30s
- Added option for
id
return value from create_task eventing
- Updated the logic when downloading files to also update the timestamp on the mythictree entries so that the data is streamed to the UI properly
- Updated the opsec pre and create task response handles to mirror stderr messages to task output so it's easier for operators to see what's wrong
- Many UI Updates check out UI Fixes for 2.0.8
- Many UI Updates check out UI Fixes for 2.0.6
- Fixed a Docker copy with postgres based on #393 when use_volume is true
- Many UI updates check out UI Fixes for 2.0.4
- Updated eventing tasks to properly address when tasks fail and continue on with the eventing steps
- Updated the LimitByCallback field when searching for files to also account of a fileID was used in a task in a callback
- this helps with files that might be uploaded as part of workflows, but still loaded into callbacks
- Fixed how external_ip is fetched from containers to provide a more accurate representation
- help and clear appear in generic
help
output - ability to hide callbacks that use the PushOneToMany
- updated Mythic's cookie to use strict same site and http only flags
- tasking input - fixed issue where double options could be presented when using tab
- tasking input - adjusted so complex types (link info, files, payloads, etc) aren't tab-completable
- This reduces some confusion when tab completing command parameters
- expand/hide subtasks in UI that have subtasks
- moved plaintext output expand icon to the left of 1 in text editor instead of in the middle
- fixed an issue where sometimes if a tab was open, clicking the keyboard for a callback wouldn't bring that tab back to focus
- fetch server version dynamically in the UI so it updates more often
- update mythic-cli allowed_ips to apply to all web/scripting routes, not just auth
- this now applies to all routes and sub-routes behind Mythic's local reverse proxy
- cache hasura information and invalidate / re-fetch after any modification to operator operation status
- each request went from 3-10ms to 700-1000micro seconds in processing time
- updated list/edit/delete/upload file features for containers to all containers instead of just C2 containers
- fixed bug where non-utf8 characters in keylog data would error on the page
- function to get graphql schema (or option from Mythic)
schema = await mythic.mythic_utilities.fetch_graphql_schema(mythic=mythic_instance)
- This is helpful when trying to do GraphQL via Golang
- only admins can create new operators
- only admins can create new operations
- fix the UI when the width is too small causing the top appbar to take up 2 lines and cover buttons
- now width <1100px will hide some buttons along the top
- after getting logged out, should redirect to where you were via redirect= URL parameter
- updated payloadtype definition to allow specification of UUID length pre-pended to agent messages
- This can be either 16 or 36 and defaults to 36 (the length of the normal UUIDv4 string)
- This makes it possible to have 16 Byte UUIDs used for P2P comms
- updated wrapper builds to not send the wrapped payload bytes via rabbitmq
- HTTP request to mythic made to fetch bytes from container before passing execution off to build function
- no change needed by agent developers
- jupyter access token changed from default 'mythic' to randomized 30 char password
- only affects new installs, but you'll need to fetch this value similar to fetching the hasura secret for GraphQL access
- fixed bug where zipped and downloaded files wouldn't record the final zip size or md5/sha1 hashes
- added button on keylogs page to view all keylogs within a user/host/window combination in your current search window at once
- When sending data back for the file browser,
success
is now an optional boolean field - C2 Profile debug output is now also sent to the container's debug output so you don't have to view it through the UI
- Two new fields in agent message for artifacts for
needs_cleanup
andresolved
- added
process_short_name
field to Callbacks- this is automatically parsed based on the
process_name
returned from agents when they checkin or update their callback information - the
process_short_name
is displayed in the Mythic UI callbacks table, but the fullprocess_name
is shown in the callback detailed metadata view - this allows agents to return the full path to the binary when checking in without worrying about it bloating up the UI
- this is automatically parsed based on the
- light and dark mode agent icon support
- If no dark mode icon is provided, the light mode version is used for both by default on new sync
- There's a new field on payloadtype definitions for a dark mode icon
- MythicRPC call to expose Mythic's way of parsing paths so that agents don't have to do it themselves and it can be standardized
- MythicRPCFileBrowserParsePath
- added task display_id to tasks shown when doing browser script edits so that it's easier to tell the difference
- added an "email" field on operators
- add new ChooseOneCustom parameter type (build, command, and c2) to allow users to choose from list or add new value
- add new FileMultiple parameter type (build, command, and c2) to allow users to select and upload multiple files at once
- new "Last Updated" time in proxy table so you know when data is flowing
- the amount of data transfer updates every 20s
- auto-tag files as you download/preview them so that it's easier to see what has been triaged or not by the team
- all consuming containers now are tracked in the UI specifically and have their own name and description fields that must be set
- This applies to webhooks, loggers, eventing, auth
- A new type of user, a bot account, is now available for creation
- only admins can create new operator accounts and new bot accounts
- bot accounts are not available to login
- a bot account is automatically created for every operation
- bot accounts can be used to take actions in eventing (as long as the operation lead approves it)
- admins are able to generate/view/delete apitokens for bot accounts as well
- Added new
logging.UpdateLogToFile
andlogging.UpdateLogToStdout
functions to containers- These allow you to dynamically update logging to write to file+stdout or just stdout as needed
mythic_container.logging.update_log_to_file
andmythic_container.logging.update_log_to_stdout
in Python
- Admins can generate one-time-use invite codes to invite somebody to their Mythic server without pre-creating an account
- This is disabled by default but can be enabled in .env or in global settings by admins (MYTHIC_SERVER_ALLOW_INVITE_LINKS)
- Each invite link can be used only once and un-used invite links can be deleted
- Invite links become invalid when the server restarts
- SSO Support via "auth" containers
- can redirect to SSO providers (ExampleContainers has example for ADFS) that provide IDP services
- can process non SSO custom auth as well
- each case must return an email associated with a user that's logged in
- Operators now have email addresses optionally associated with them
- these can be seen via ConsumingServices page
- All containers have an
on_start
function that gets called when the container starts up- This function is executed once for every operation that's currently running (not deleted and not complete)
- This function gets access to a special JWT APIToken that's scoped to the bot account assigned to the operation
- This JWT is for spectator access (no changes can be made) and only lasts for 5 minutes
- The goal here is to allow some basic configuration to be performed by the container
- New PayloadType attribute
agent_type
value ofcommand_augment
- CommandAugment containers expose custom tasks to other PayloadTypes and are automatically injected into callbacks
- Payload type definitions have a new
CheckIfCallbacksAliveFunction
- This gets a list of active callbacks based on this payload type along with their id, last checkin, first checkin, and sleep_info information
- This returns back a list of all the callbacks and an indication if they should be marked as "dead" or not
- "dead" status is reflected by a red skull in the last_checkin column in the callbacks table
- the
sleep_info
data can be updated at any time as a free-form string via MythicRPC or the UI - the
sleep_info
data is also a column you can toggle to view or not in the UI in the callbacks table - Added
SendMythicRPCCallbackNextCheckinRange
RPC call to get basic range for next checkin options based on:- last_checkin, jitter percentage, and sleep interval
- This is provided as a helpful way to reduce duplicated efforts in all payload types checking if
time.Now().UTC()
within the possible range
- New Container Type and feature: Eventing
- Eventing button at the top now added to manage eventing workflows
- New docs around eventing added
- Fixed a bug where DynamicQueryParameters weren't getting set on first sync
- Fixed a few of the SendMythicRPC* calls to fetch all the same data as normal agent processing
- Added CallbackDisplayID, PayloadType, IsInteractiveTask, and InteractiveTaskType to RPC Search results and new_task logging data
- Fixed an issue with SendMythicRPCTaskSearch
- Fixed an RPC call for generating a new payload that wasn't calling the right function
- When payloads are built, files hosted, files written, or agent configurations checked, Mythic now restarts a C2 profile's server in case there were updates
- Added a fix for C2Profile Parameter Type of File
- Added support for PushC2OneToMany via gRPC
- Added in a check to support an agent's message_format field for
xml
orjson
- Updated SOCKS to also send any read data even during a read error
- Updated the logging library to just be zerolog and not zerolog/logr which was messing with logging levels
- Removed a section of socks/rpfwd code that resulted in double closure messages getting sent to the agent
- Updated a section of socks to do multiple reads with smaller buffers
- Fixed an issue where rpfwd connections with the same local port wouldn't get tracked on the proxies page as new connections
- Added
xml
tags to agent messages for planned native support ofxml
in addition tojson
message formats
- Fixed an issue where port usage wasn't getting tracked for new ports
- Added
OperatorUsername
andOperationName
to Callback data sent to tasks
- Updated SOCKS/rpfwd traffic to not double send close connection messages to the agent
- Added "AgentType" field to "PayloadType" database table
- Updated SOCKS initial connection to accept more bytes in case client supports many auth mechanisms
- Updated the processing of agent
responses
fields to return a 200 response with empty data if there's an error processing data
- Fixed a bug where files registered would get a comment with a taskID instead of a task's display id, leading to confusing task numbers
- Added support for exporting and importing c2 profile instances (green save icon next to a c2 profile then export/import)
- Added another check for parsing paths for when a parent_path for the file browser is reported as "path\path"
- Updated the response to a
download
message from an agent to include thechunk_num
the agent sent in the response
-
Added
secrets
andpreferences
as fields for theoperator
table- Added migration to add these two fields
- User secrets are now available in:
- payload builds
- new callback functions
- opsec pre
- create tasking
- opsec post
- completion handlers
- dynamic query functions
- The secrets field allows your agent functions to interact with services on behalf of the tasking operator without storing auth tokens on disk
- Updated the callback import feature to also support commands and allow duplicate payloads UUIDs (not duplicate callback UUIDs though)
- Updated SOCKS handling to hopefully prevent a few more cases of deadlocking
- Updated SOCKS/RPFWD/Interactive Tasking to track bytes sent/received through the agent
- Data is streamed to the SOCKS search page
- Data is aggregated on the main dashboard
- UI Fixes
- mythic-cli updates
- Updated file-based routes to also log file_id
- Adjusted the SOCKS handling functions to use non-blocking sends when dealing with channels to help prevent deadlock
- Adjusted the SOCKS channels to have increased capacity
- Added ability to export a callback (via callback dropdown) and import callback (via speeddial on top right of callbacks page)
- Added a new environment variable,
global_server_name
, that gets passed down to webhook and logging containers - Added new
mythic-cli config help
subcommand to get helpful descriptions of all environment variables in .env file - Updated logging to track user_id, username, and source of requests
- Updated internal MITRE ATT&CK to the latest as of 2024-02-06
- Added new file view endpoint to not return files as attachments but just as content to render in the browser easier
- Added more checks for processing completion functions
- Added ability to query and set global settings such as the agent debug message setting from the UI
- Fixed typo
- Updated go modules
- Removed the FileRegister MythicRPC Command
- Updated the FileCreate MythicRPC Command to take in TaskID, PayloadUUID, or AgentCallbackID depending on what the context has available
- Added a
size
field for FileMeta to track the final size of files uploaded, download, or screenshots - Added a
bytes_received
and abytes_sent
field for CallbackPorts to eventually track how much data goes through Mythic - Updated the data passed in for DynamicFunctionQueries to have PayloadOS, PayloadUUID, CallbackDisplayID, and AgentCallbackID too
- should help making more informed decisions for which files or dynamic data to present to the user
- Updated the C2 File host webhook to automatically stop and restart a C2 Profile after hosting a file
- Added a new MythicRPC* for getting graph edges associated with a callback
- Added a new MythicRPC* for creating a new task based on AgentCallbackUUID
- associated Operator for this will be the operator associated with the Callback (i.e. the one that made the payload)
- Added new function for a Payload Type for
on_new_callback
/onNewCallbackFunction
so that you can take actions based on new callbacks - Fixed bug with attempts to send
alerts
incheckin
message not properly tracking them for the new callback - Support for container version 1.2.0
- Added a check for file transfers when getting null data
- Added a fix for spawning a new callback off a payload through the UI
- Fixed an issue with interactive tasking not working if there wasn't also a port open
- Updated the Dockerfile for Mythic_CLI and mythic-docker for go v1.21 GOPROXY usage changes that broke builds
- Adding missing hasura files that didn't get exported and added for updating operator status on the settings page
- Updated to allow SOCKS/rpfwd message format to specify a
port
(uint32) as part of their messages with Mythic- This allows multiple instances of rpfwd per callback with proper tracking for which port to go to
- The
port
sent in the messages is the local port the agent binds to for rpwfd
- Updated the rpfwd remote connectivity test to happen in a goroutine and not block registration
- Fixed a bug in the staging_rsa refactor for provided RSA public keys
- Updated some golang packages in mythic_server
- Pulled some PRs for refactoring and beginning of adding unit tests
- Added a new controlled endpoint for managing operator admin, active, and deleted status
- Added new database migration for postgres function to convert callback groups into strings for easier searching
- Fixed bugs in mythic rpc functions for CallbackCreate, CallbackDecryptBytes, CallbackUpdate, and FileCreate
- Adjusted channel size to help with TOCTTOU issue
- Fixed a TOCTTOU bug with the total number of file chunks received when there are parallelized requests to Mythic
- Updated file/process browsers to store/merge information based on host + callback id
- Updated callbacks to have
mythictree_groups
attribute to specify which groups data should be displayed with in the UI - Added new migrations for the above updates
- Adjusted the file writes during
download
commands to flush to disk after each chunk
- Fixed a non-idempotent sql migration
- Updated file transfers to Mythic to allow parallel messages from the agent
- Uses golang channels to ensure ordered file writes and f.Seek to get to the right spot in the file
- Updated agent messages to allow %encoding and safe base64 encoding for query parameters
- Updated rpfwd and SOCKS messages to aggregate through a single channel to ensure message order
- Fixed an issue with locks when checking for containers online or not
- Fixed a bug in interactive tasking ports that wouldn't pick up messages for multiple interactive tasks port in a single callback
- Fixed a bad channel close and double close scenario with interactive ports
- Updated the C2 Profile redirector RPC call to add
#
in front of all non-redirector messages to help with apache mod_rewrite configs
- Added new build step option for skipped steps (useful if you have conditional builds)
- Added new "Split Tasking view" as a callback dropdown option for viewing tasking
- Updated Graphing library (react-flow)
- Updated UI to React18
- Can now sort by last checkin time on active callbacks page
- New "PushC2" style available for egress C2 Profiles
- Updated with Websocket C2 profile
- Uses gRPC connections between C2 Docker container and Mythic
- New
TypedArray
parameter type available for commands, build parameters, and c2 profile parameters- Useful for generic BoF/COFF style tasking where you need data and a type associated with it
- Data passed down as an array of tuples:
[ [type, value], [type, value] ]
- PayloadType Commands need to supply a TypedArray Parsing Function to handle freeform input for typed array values
- ex:
my_bof -bof_args int:5 char*:testing wstring:"this is my string"
into proper array of arrays
- ex:
- New "Host File Through C2" option available for all payloads and files via globe icon
- Up to the C2 profile to support the RPC call from Mythic and make the file available though
- Updated with
http
andwebsocket
C2 profiles
- Shift+Tab will cycle backwards through options on the tasking CLI
- Event feed format changed and is now also searchable
- "alerts" keyword in responses from agents now allow setting a source, level (info, warning, debug)
- New
send_webhook
boolean field to indicate sending a custom webhook notification (even if the level isn't warning) - New
webhook_alert
dictionary field for custom data to your webhook that's not displayed to the user in the event log alert
string field is what's displayed to the user in the event log
- New
- Mythic-cli updated to allow options for setting the main UI to listen on IPv4, IPv6, or both
- Agents can now more easily support multiple C2 profiles and have it reflected in the UI
- Still only one instance of each c2 profile, but that will change in future releases
- Updated callback's "update_info" and "checkin" actions so that callbacks can update their own metadata
- New "Interactive" tasking type available to allow follow-on input in a PTY format
- Browser view has limitations compared to a full PTY/TTY since it's still in your browser (supports ASNI colors)
- Non-ANSI color sequence control sequences are ignored in the browser
- Use the new supported_ui_feature
SupportedUIFeatures: []string{"task_response:interactive"},
to enable this for your task in the UI - With MythicRPC you can open an "interactive" port with your task which you can connect to with a terminal for full PTY support
- NOTE ALL output is still captured and stored in Mythic and viewable in the UI for the task, so be careful about long-running jobs that dump out a lot of data
- Inputs from the Web UI will appear as "tasks" that you can search. Inputs via the opened port will not appear as tasks.
- Browser view has limitations compared to a full PTY/TTY since it's still in your browser (supports ASNI colors)
- Your issued tasks will auto-expand, so it should reduce a click for tasks that finish immediately (help, clear, script_only)
- File Search page updated to have
Bin
andStrings
views available without needing to expand the dropdown - Updated
github.com/MythicMeta/MythicContainer
golang package andmythic_container
PyPi packages - New database migrations so that you don't have to blow away the database between updates
- Updated user login notification to be debug level (no UI popup)
- Allow dynamic port binding with MythicRPCProxyStart
- specify a LocalPort of 0 for Socks/Interactive ports and the next lowest available port will be used and returned
- Allow dynamic port closing with MythicRPCProxyStop
- specify a LocalPort of 0 for Socks/Interactive ports and Mythic will look up the port based on taskID and port type
- Updated ProxyPorts to track "deleted" status so that they're never actually deleted and can be restarted if needed
- Allows for a better tracking of which callbacks had/have which ports open
- Fixed an issue with the task searching MythicRPC call
- Fixed an issue with redirects for the UI with custom ports
- Fixed sql query error for linked messages
- Updated mythic_server and mythic-cli build processes to incorporate GOPROXY and GO111MODULE build/env settings
- Updated the bulk download zip option to save filenames as HOST_filename_uuid.ext to help with uniqueness in names
- Fixed an issue where with MythicRPCCallbackUpdate failing to find a callback based on task id
- Fixed an issue where linked callbacks were consistently creating new edges
- Fixed an issue where linked nodes 3+ deep weren't getting their tasking
- Fixed an issue where linked nodes weren't getting their token values
- Adjusted the agent message processing to account for agent messages less than 36 bytes long
- Adjusted the rabbitmq piece to force close channels on error
- Added some missing return statements for file uploads on error cases
- Fixed the following RPC functions: agent storage search, artifact search, process search
- Fixed how Mythic leveraged rabbitMQ channels to reduce the channel churn rate and increase throughput dramatically
- Updated Mythic's tasking to support mass-tasking natively without requiring all tasks to happen in sequence
- Fixed an issue with a high volume of new callbacks causing issues with Postgres connections
- Fixed an issue with a high volume of new callbacks resulting in duplicated callback identifiers
- Updated the sqlx connection information to limit the number of concurrent postgres connections
- Updated file browser data to track if a folder
has_children
or not so that it's easier to track in the UI - Updated file download to not un-set
is_screenshot
tag based on default values from agents
- Updated the translation container code to only ask the translation container to generate encryption keys if the translation container is doing the encryption (instead of always asking)
- Added
file_name
field to Downloads so that you can report back a filename without necessarily returning a full_remote_path. This is particularly useful for screenshots or downloading things in memory.
- Updated the RPC File Create function to set the host field
- Updated check for marking a callback token as deleted to first fetch the proper token_id
- Updated check for container status to use rabbitmq REST api to port 15672 instead of passively declaring queues
- Updated rabbitmq image to rabbitmq:3-management-alpine to support the above bullet
- Updated the payload builder message to also include a wrapped_payload_uuid field
- Updated the rpfwd logic to not bail out if it can't reach the specified remote ip:port when starting
- Updated the logic for tracking up/down containers to only notify after successful database update
- Updated grpc translation container code to have a larger (maxInt) send/recv limit
- Added a line to reflect back keys from the agent at the "action" level
- MythicRPC calls for creating task and subtask now report back a tasking location of
mythic_rpc
instead ofcommand_line
- Update file delete webhook to not error out if the file to be deleted has already been deleted
- Fixed a bug where *nix filepaths might be leading // causing file browser issues
- Fixed bug where deleted files that come back weren't getting marked as not deleted
- Fixed an issue in the UI with timestamps not converting properly between UTC and local time
- Fixed a bug where agents reporting back file browser paths with UNC formats wouldn't get properly ingested
- Fixed a bug where the
get_delegate_tasks
key wasn't getting passed to the delegate message check - Fixed a bug where rpfwd messages weren't getting checked for delegate messages
- Removed ability to check number of consumers for logging/webhooks since it caused the messages to roundrobin instead
- Updated the UI to handle boolean parameters with
-paramName
astrue
on the CLI - Updated the UI to show number of listeners for consuming services as well as green/orange counts
- Updated Mythic to emit a new
new_response
log type for user_output - Updated the checks for existing containers to re-use rabbitmq channels if possible
- Updated the health check for rabbitmq to just check for ports listening since no alarms are configured
- Fixed an issue when reporting back deleted files that Windows paths with
\\
need to be escaped again,\\\\
- Updated task logging to emit when first created and also when task completes
- Added new
alerts
key forpost_response
messages to send alerts to the operation event log - Added new
alerts
key for top level messages to send alerts to teh operation event log
- Additional error checking for trying to close SOCKS ports
- Updated some rabbitmq RPC functionality to not return error on timeouts
- Added a check when getting a new callback to see if the payload is deleted, if so then no new callback is created and an alert is thrown to the operator
- Reduced the popup display for some toast notifications when generating tasks
- Attempt to locate and mitigate potential RPC timeout errors
- Updated MythicRPCFileUpdateMessage to allow setting DeleteAfterFetch
- Updated UI to support GenerateIOCs and GenerateSampleMessage for C2 containers
- Updated UI to have icons next to options on the Payloads page so it's easier to find what you're looking for
- Updated UI to not base64 encode browser scripts
- Updated mythic_graphql with new GraphQL endpoint and permissions for c2GetIOC and c2SampleMessage functions
- Fixed an issue with additional information incorrectly mapped to map[string]string instead of map[string]interface{}
- Updated message about out-dated
upload
key for file transfers to be an informational debug message rather than a warning - Updated Jupyter with mythic==0.1.2
- Updated the task status values to be more representative of what's going on
- Updated go.mod values
- Fixed an issue with the default value for a dictionary not getting populated correctly due to missing struct tags
- Fixed a few things in the UI with linking
- Fixed process browser in the UI not reporting process_id when tasking kill/inject
- Fixed an issue where linked p2p agents would get egress connections in the UI
- fixed an issue with creating saved c2 instances that wouldn't supply default values for non-supplied parameters
- updated the scripting version for the Jupyter Container
- added two new examples in the Jupyter container for c2 profiles
- fixed an issue with missing operation_id for c2 profile instances for payloads
- Reduced the number of toast notifications when syncing or hitting errors with translation containers
- Changed from ParseBytes to FromBytes when attempting to parse a 16 byte UUID instead of a 36 byte string UUID
- Fixed how timeouts work for translation services so that they don't hang internally on channels
- Updated the webhook for creating custom operation event messages to generate sources if none supplied
- Updated to allow users without an operation set to create an operation and create new users
- Fixed an issue when updating operations outside your operation causing an exception
- Two .svg icons for UI dev were ignored via .gitignore, so added them manually back to the repo
- Updated to actual release instead of release candidates for v3.0.0
- Modified MythicRPCProxyStart to support rportfwd
- Updated Dockerfile build to user smaller base images and use multi-stage builds to reduce final size
- Docker images updated:
- itsafeaturemythic/mythic_base_go <-- go1.20 with garble and gRPC
- itsafeaturemythic/mythic_base_python <-- python 3.11 with the latest mythic_container PyPi package installed
- itsafeaturemythic/mythic_go_dotnet <-- mythic_go_base + .NET Core 7.0 SDK, nuget, and the Mono compiler
- itsafeaturemythic/mythic_python_dotnet <-- mythic_python_base + .NET Core 7.0 SDK, nuget, and the Mono compiler
- itsafeaturemythic/mythic_go_macos <-- mythic_go_base + macOS 12.1 SDK
- itsafeaturemythic/mythic_python_macos <-- mythic_python_base + macOS 12.1 SDK
- All docker images now have a rolling
:latest
tag that can be used - All docker images (and mythic-cli builds) now work for ARM as well as x86_64
- Fixed an issue with additional attributes not getting captured for commands
- Added
File
as a valid build parameter type - like files for tasking, this is passed to thebuild
function as a file UUID - ContainerVersion v1.0.2 has the builder side of this addition
- Docker images updated:
- itsafeaturemythic/mythic_base <-- go1.20 and python 3.11 with the latest mythic_container PyPi package installed
- itsafeaturemythic/mythic_dotnet <-- mythic_base + .NET Core 7.0 SDK, nuget, and the Mono compiler
- itsafeaturemythic/mythic_macos <-- mythic_base + macOS 12.1 SDK
- All docker images now have a rolling
:latest
tag that can be used - All docker images (and mythic-cli builds) now work for ARM as well as x86_64
- Updated
mythic-cli
withupdate
,save
, andload
commandsupdate
command simply checks Mythic version, mythic-cli version, and mythic UI version locally against either the main branch or the branch specified with-b
save
command exports specified docker images to disk for use with load commandload
command loads exported docker images into local docker engine (helpful for offline environments)
- Updated UI to allow
crtl+F
within more output boxes - Updated Dockerimages
- Updated
mythic
PyPi package injupyter
container tomythic==0.1.0rc9
- Updated agent post_response process dictionary to support
update_deleted
key to mark processes as deleted - Updated agent post_response process dictionary to support
os
key to mark processes aswindows
,macOS
, orlinux
- Updated UI to add new "View Just This Process Tree" option in Info dropdown for process tree view
- Fixed bug with callback graph view's link commands
- Fixed bug with re-added edges in graph view
- Fixed an issue with marking payloads as deleted when linking agents
- Updated the UI for tasking dropdown boxes are full width
- Updated reporting function to generate JSON output in addition to XML
- fixed the UI to version 0.1.0 with an update to include the additional webhook types of alert/custom
- adjusted the test webhook function to handle testing the new alert/custom webhook types
- Fixed an issue where SendMythicRPCFileCreate wasn't setting the is_screenshot or is_download_from_agent fields
- Moved docker templates back out of this repository and to the MythicMeta/Mythic_Docker_Templates repository
- Fixed a bug in file uploads that was causing the sha1 and md5 of payloads to not be recorded
- Updated the payload build and build response to allow for updating the filename as part of the build process
- Added another check in RSA EKE for PKIX format
- Added two new kinds of webhooks - one for alerts in the operation event log and one for custom webhook data
- Added examples of new webhooks in Jupyter notebook
- Updated MythicCLI to allow setting default operation webhook url and webhook channel in addition to operation name from .env file
- Updated MythicCLI to support
-b
and--branch
flags when installing from GitHub
- Updated some json tags on structs to omit unnecessary nested structure parsing with empty values
- Fixed the error message for bad messages to Mythic and added more error logging to the UI
- Added event log notification if a connection is refused due to the IP allow list in the Mythic/.env file
- For file browsing, if an OS type cannot be inferred based on host, path, and parent path, OS is assumed as Windows
- Fixed an issue with the UI sending the wrong host name for file listings
- Fixed an issue with uploaded files treated like folders in the file browser
- Fixed an issue with files marked as "delete after fetch" weren't getting deleted
- Fixed some issues with the UI referring to old element IDs instead of display IDs
- Fixed some issues with MythicRPC Credential and File Searches
- Fixed an issue with RabbitMQ Channels not getting closed after use, resulting in an ID exhaustion
- Added new configuration variable for
mythic_react_debug
- Added MythicReactUI code to this repository for easier control and development for the community.
- New image and container are only used when
mythic_react_debug
is set totrue
, otherwise normal nginx container serving static files is used. - Updated scripting package for Jupyter to mythic==0.1.0rc3
- Updated MythicUI tags to treat http* json fields as clickable links
- Updated mythic-cli to include a version command
- Updated the agent message Get handler to look at first query parameter, first cookie value, and then message body
- Updated mythic-cli to include a check for the docker version >= 20.10.22
- Added more to the report generation for the XML side
- Fixed an issue with bad hasura role for non-admins
- Added caching for container information for checking if containers are online
- Updated file tracking for newly created downloads to populate the file browser as well
- Dynamically update file's chunk_size if none is set by the agent to the size of the first chunk
- Updated the xml reporting a bit further (not done yet)
- Updated processing of agent messages to have a separate case for base64 url encoded messages
- Updated a few issues in the UI
- Fixed many bugs in mythic_rpc_* functionality that was slightly broken with SQL queries
- Prevented agents from auto-triggering their completion functions multiple times
- Added a flag to not show webhook/logger rabbitmq errors on send
- Updated the payload search rpc functionality to also return the build_phase
- Fixed some UI bugs for various command parameter types
- Fixed a bug where an operation's channel wasn't sent down as part of webhook messages, only the url
- updated how socks messaging works internally to mythic (more go channels instead of mutex locks)
- fixed an issue in the UI where bulk callback hides wasn't working
- fixed an issue with socks stop getting caught in deadlocks
- fixed a few pieces of the UI for credentials and callbacks searching
- updated the graphql action for creating credentials so they get emitted to logging as well
- updated nginx reverse proxy to handle ip allow lists as well (so jupyter/docs/graphql all get protection too)
- added cpu limits for a few other services
- Updated the way that callback updates happen so that it's easier with
- fixed an issue with token not getting added for get_tasking requests like in Mythic 2.3.*
- fixed an issue with tokens selected from the UI not making their way through to the payload containers
- fixed an issue with token adding/removing with bad SQL syntax
- updated components for adding/removing/updating operations and operator memberships with new hasura action
- updated some tagging on database structure to make mapstructure decoding better
- updated the mythic rpc callback search functionality to require a callback uuid instead of the callback id since the int id isn't available to translation containers
- Added new graphql endpoints for adding mitre attack to tasks and updating operations
- fixed an issue where the
staging_translation
capability for a translation container was missing - fixed an issue with tasking creation leveraging files not tied to tasks when searched
- updated the database schema to support cascading drops (requires dropping database and creating a new one)
- updated how display_ids are calculated for tasks and callbacks (there was an issue with duplicates once you start deleting tasks/callbacks)
- updated the ui and server to create new tasks/callbacks based on display_id rather than id
- a new endpoint for deleting callbacks and tasks via scripting
- fixed an issue where hasura updated permissions weren't captured to disk
- Updated mythic-cli with mythic_postgres to offer a different postgres.conf file based on if postgres_debug is true
- fixed an issue when loading multiple commands via RPC that it would stop after the first successful one
- fixed some issues with P2P connections and auto-adding routes
- fixed an issue with 16 byte uuid not getting reflected back for agent response (defaulted to always 36 char string)
- fixed an issue with RSA-based EKE where golang libraries require a slightly different format than before. Added code to auto-detect and fix
- fixed an issue where status wouldn't get updated to submitted
- fixed an issue with SOCKS reusing the same ports causing errors
- fixed an issue with mythic-cli stopping all containers instead of just the specified ones
- added a function to mythic-cli to remove intermediate images
- fixed an issue with errors getting overwritten from create_tasking and going to the agent
- fixed an issue with script_only commands always reporting success and going to the agent
- fixed an issue with the outer UUIDs for checkins appearing wrong thanks to BloodHound user Josh Feehs
- fixed a few issues with process_response and complection function messages
- refactored where the automatically updated build steps happened on errors
- fixed an issue where selecting "none" for crypto would result in "" as the type instead of "none"
- fixed issue in command addition that wasn't using $1, $2 for parameterization on database Get request
- fixed issue where mapstructure tag was missing from struct
- updated the token/callback section to remove an instance of TokenID (should be token_id)
- updated the token/callback section to process tokens then callback tokens if both are provided simultaneously
- fixed a few bugs in the UI
- fixed a bug where "none" encryption was reporting back as a string instead of a dictionary
- Allowed wrapper payload types to wrap additional wrapper payload types so that you can nest more payload types
- Updated P2P communications spec to return
mythic_uuid
andnew_uuid
(same value). Eventuallymythic_uuid
will be removed entirely to help reduce the number of mandatorymythic
strings in agents.