A few months ago, I announced the rebranding of the Apfell framework to Mythic, but the announcements don’t stop there. Over the next few months there will be a series of blogs talking about some of the cool features or agents of Mythic. One of Mythic’s coolest features is the ability to dynamically plug and play new Payload Types or C2 Profiles due to the Docker-ization of every component. The general Mythic services are shown in the traffic flow diagram below:
Mythic tries to be merely a framework in which the operator and developer have complete control over virtually every aspect of their agents. To that end, there should be an easy way for developers to host and manage new Payload Types and C2 Profiles on their own repositories, but still have them hook into Mythic. This has the added benefit of giving payload/C2 developers complete control over the update frequency of their projects without relying on pull requests from the main Mythic repository.
Mythic External Agents
In order to facilitate this process, I released a template repository called Mythic_External_Agent (https://github.com/its-a-feature/Mythic_External_Agent). This repository provides container folders for a Payload Type, C2 Profiles, Agent icons, and corresponding documentation folders.
To leverage this project, simply fork the Mythic_External_Agent repository (or recreate the folder and file structure in your own repository).
The config.json file allows you to customize which components you want to import into your Mythic instance. You might be wondering why you wouldn’t want to just import everything or how things would even work if you didn’t. That’s due to another one of Mythic’s features — your Payload Type and C2 Profile “container” can be Docker, a VM, or any other host.
The Mythic documentation website has instructions on how to turn a VM or a physical host into a Mythic-compatible “container”. This is useful for situations where your agent has very strict requirements for tasking or payload creation that are too much of a hassle (or impossible) to do within Docker. A few examples where this comes to mind:
- The language or desired output format doesn’t work within Docker
- Setting up proper toolchains/environments/SDKs to compile to specific OS (such as macOS or specific linux distribution) is impossible or extremely difficult within Linux Docker
- The compilation requires extra steps with sensitive components that need to be contained to one system (such as developer certs for code signing)
- You want to free up system resources for compilation or intensive tasks
Installing an External Agent
Mythic includes a special installer script you can run to remotely fetch and install agents. Simply point it to your repository via ./install_agent_from_github.sh https://github.com/path/to/repo and Mythic will clone it down into a temporary directory called temp, parse the config.json to see which folders to copy out to the right locations, then remove the temp folder. At this point, you can do one of two things to get everything up and going:
- Restart Mythic with sudo ./start_mythic.sh and all of the new Payload Types and C2 Profiles will automatically be pulled in
- Manually start each Payload Type via sudo ./start_payload_types.sh Agentname and each C2 Profile via sudo ./start_c2_profiles.sh C2Name.
That’s it. All of an agent’s components should now be set up for your Mythic agent.
Mythic Agent Collections
With the external agent capability, developers are able to host their custom agents on any repository that’s git-based (GitHub, BitBucket, GitLab, etc), and are able to do it under their own account. However, this can make it easy to miss agents that exist and lose track of everybody’s amazing work. To help make things easier to find, there is now a MythicAgents organization on GitHub. If you have an agent you would like included with the organization, reach out on Twitter to its_a_feature_ or in the Bloodhound Slack (#mythic channel) and we can get you added. You are still in full control of your agent, but having them in a central group benefits everybody.
The first addition to this collection is Dwight Hohnstein’s Apollo agent.
Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed for SpecterOps training offerings. Be sure to check out Dwight’s upcoming, free SO-CON talk all about Apollo:
If you’re interested in making your own agent, I recommend attending the free SO-CON workshop on how to do it within 2 hours:
Everything for the Hercules agent will be hosted in the MythicAgents organization as well.
Sharing the Myth was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Sharing the Myth appeared first on Malware Devil.
https://malwaredevil.com/2020/11/09/sharing-the-myth/?utm_source=rss&utm_medium=rss&utm_campaign=sharing-the-myth
No comments:
Post a Comment