Open in app

Sign in

Write

Sign in

ApFell rebranded to Mythic

ismail kaleem
3 min readSep 17, 2020

--

Mythic C2 Framework — A review by a purple team engineer

It took me almost a day to understand and setup cloud auto configuration for the framework. I personally think in the long run this is going to be a pretty decent project as the scope is huge. It didn’t turn out as good as I expected during my testing; but it looks very promising for the future….

Allow me to explain how it’s really structured..

Each Agent is a container and has 4 C2 Listener containers as well.

Basically, there are 4 Agents types we can choose from..

  1. Poseidon — This one works for Linux and macOS. This agent has some nasty feature supports such as websockets support, socks5 in agent proxy support etc. If you are not running listeners for it; then you can stop this docker container.
  2. Leviathan — This one is a little nasty as it hides in the chrome browser as an extension. It can capture screenshots, steal cookies, view open tabs, inject javascript into tabs and dynamically load new commands.
  3. Atlas — is a lightweight .NET agent written in C# and for Windows. I found this a bit sluggish from my experience and not very stable. I had tested with both https using domain fronting and without https and it was unusually slow or maybe I might have picked a wrong location with high latency. But either ways it was slow….
  4. ApFell — is a JavaScript for Automation (JXA) agent for macOS.

If you are looking for a C2 Platform for multi environment; then try it out.. I think the documentation for Atlas and functionality needs to be improved as I couldn’t figure out the download command either with the current documentation..

Architecture of Mythic

This is how the architecture looks like.. So basically you can stop any C2 container if its not required.

The C2 Profile consists of 4 C2 Listener Containers

  • HTTP/s C2 — Supports Apfell, Atlas and Poseidon
  • dynamicHTTP/s C2 — Supports only ApFell Payload
  • Leviathan-websocket — supports only Leviathan Payload
  • websocket — supports only Poseidon Payload

Review #1 — ATT&CK MAPPING

I found this quite interesting for features available based on ATT&CK mapping

Review #2 — Collaboration (Team Work)

The Framework is built nicely allowing a group of people to work together with history of commands and tasks so they don’t end up doing same tasks.

Review #3 —Socks5 in Agent Proxy Support

Most c2 don’t have this feature yet and it’s a must have when Red Teaming.

Review #4 — MacOS Support

Most c2 only support a specific OS but this framework works for all platforms and especially has more options and support for MacOS..

Review #5 — Sneaky Browser Extension

This is a clever way to hide in the browser and bypass 2factor authentication by grabbing the cookies and using the Socks5 Proxy support.

--

--

ismail kaleem
ismail kaleem

Written by ismail kaleem

40 Followers
15 Following

Follow me on Twitter https://twitter.com/@roketscientist

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams