All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Updated the comment added to files automatically tracked due to a secondary task fetching them
- Updating the onStart code to not delay and automatically fire for containers
- Updated the MythicRPCTaskSearch and MythicRPCFileSearch commands due to broken logic
- Added fields for the MythicRPCCallbackUpdate to indicate if the last_checkin time should be updated
- This requires also specifying which c2 profile the callback is using
- UpdateLastCheckinTime and UpdateLastCheckinTimeViaC2Profile
- Updated the CommandAugment container sync code to automatically add commands to existing callbacks, not just new ones
- Updated container sync messages to the "debug" level instead of "info" level
- Updated the task's creation completion handler to append new stdout output instead of overwriting
- Added a new Eventing Trigger - callback_checkin that is based on a callback's new trigger_on_checkin_after_time attribute
- Added supporting functions for new GUI Eventing creation wizard
- Added new Eventing action - alert_create
- Added new Eventing action - webhook_send
- Added new EventLog level, 'api', that's used for information about scripting/eventing API usage
- Added new API function, eventingImportContainerWorkflow, to the GraphQL API that can be used by containers to import workflows in their onStart functionality
- Added ability to update certain pieces of an Eventing workflow after it's been registered
- Added a check in file download to return error if chunk num > 0 and no chunk data present
- Added the option to tag callbacks with specific colors via the UI
- Added another database field for future use to allow triggering on delayed callback checkins
- Added another database field for future use to track specific versions of payloadtypes installed
- Updated the login / refresh process to return the current UTC timestamp
- this is used in the UI to try to prevent clock skew on callback times
- Updated MythicRPCCallbackSearch to specify a list of payload types
- Updated MythicRPCCallbackAddCommand and MythicRPCCallbackRemoveCommand to take in a list of callback ids
- Added an optional flag for payloads syncing to not retrigger the container's on_start functionality
- Fixed an issue where dynamic query functions for command augmentation commands would go to the base agent instead of the right augmentation container
- Updated the processing for agent messages to minimize memory bloat
- Updated file download process to cache filemeta information and open file descriptors to minimize disk/database access
- Updated agent response processing to cache task data for one update instead of per-response
- Updated MythicRPCResponseCreate to also touch the timestamp of the corresponding task to update the UI streaming
- Updated the command_augment injection process to use suggested_commands as well as builtin commands
- one of these two attributes needs to be set to true on the command augment's command for it to be automatically injected into new callbacks
- this is in conjunction with matching OS requirements and matching the command augment's supported payload types (if specified)
- Added more functionality to invite links
- you can now specify a specific operation and role to assign the new operator to
- you can now specify (and change) the maximum number of usages that the invite link has
- Updated mythic-cli to properly pass in the environment's mythic_server_allow_invite_links setting
- Updated the automated payload creation process to associate a task_id with the payload
- Execute a container's OnStart method after a file has been removed/edited/created via the UI
- Added new parameter to the create_go_tasking response, ReprocessAtNewCommandPayloadType
- this allows you to set the response.CommandName to some other command and response.ReprocessAtNewCommandPayloadType to the same or different payload type
- execution will then pass to that payload type's create_go_tasking for the new
CommandName. - This allows execution chains to happen for processing
- Added two more parameters to the MythicRPCCallbackAddCommand and MythicRPCCallbackRemoveCommand functions
- AgentCallbackID - allows you to add to callback based on AgentCallbackID (UUID) instead of by TaskID
- PayloadType - allows you to specify the payload type associated with the commands if they different than the payload type for the callback itself
- This is helpful for command augment containers that want to register additional augment commands
- Using the UI to add/remove/update files in a container will re-rigger the container's onStart function
- This allows containers to reprocess data as needed if it changes on disk
- Updated how file hosting works for C2 profiles
- When syncing to Mythic, C2 profiles get updated file hosting based on existing FileHosted tags in Mythic
- When stopping file hosting, Mythic ensures that the C2 profile successfully processed the request before updating the corresponding Tag
- Fixed a bug with onStart messages getting the wrong value for temporary APITokens
- Increased the timeouts for gRPC messages from 1s to 10s
- Added a new field to file browser responses,
set_as_user_output(bool) to indicate that this structured data should be turned into JSON and set as user_output data by Mythic- This allows agents to send file browser data once, but get it counted for both the file browser and user_output
- Added endpoints to leverage/set user preferences
- Payload Search wasn't properly filtering on filename or description
- Added an update to make sure that the payload is not deleted and the build phase was a success too
- Fixed an issue where bot accounts were considered as operators for opsec checks
- Fixed an issue where some Numbers were getting saved as scientific notation floats
- Temporary update where Wrappers can identify payloads to wrap, not just payloads identifying the wrappers
- This currently is only additive
- Updated the file download process to only add to the file browser if data is not a screenshot
- Updated the
update_deletedcode for process listings to not filter on callback, but on callback groups- this should fix a bug where processes weren't getting marked as deleted even though they should be
- Updated the file delete call to invalidate existing cached info to prevent new callbacks
- Updated file uploads to better track the same file uploads across multiple callbacks
- Updated file download message for files hosted through C2 Profiles to be more descriptive
- Added support for operation banner_text and banner_color
- Reworked C2 Profile status updates so they can be more async and C2 profiles can opt for their own restarts
- Removed unnecessary C2 Profile restarts when checking configurations and building payloads
- C2 Profile Functions can now set a field for RestartInternalServer to ask Mythic to restart it for them
- Updated payload build to go on in background instead of blocking build API call
- Updated CommandAugment commands to only autoload builtin and suggested commands to new callbacks
- Added Username/Password auth options for SOCKS ports
- Added support for UDP Associate
- Agents need to inspect first packet for new server_id to see if it's \x00\x00 (UDP) or \x05 (TCP)
- Updated the proxy stop through the UI to be more precise instead of stopping all proxies based on callback id, port, and port type
- It didn't account for variations in remote ip/port combinations
- Added some checks for port byte tracking max sizes and file max sizes to not hit postgres limits
- Added a missing struct tag for GraphEdges that was breaking the MythicRPCCallbackGraphEdgeSearch call
- Updated callback last checkin time update process to not background jobs, hopefully preventing deadlock in some situations
- Changed the order of initializing the database so that migrations happen before initializing operators/operations
- Added more verbose error messages on connections to include user agent and full URL + Query paths
- Requires latest
httpandwebsocketprofiles to forward the necessary headers
- Requires latest
- Added more context for GraphQL queries used by APITokens/Scripting to the event log
- Fixed a bug with exporting saved c2 profile instances that would then break imports
- Updated some of the logging for bad messages to be clearer
- Added new tag for FileHosted to indicate and track that a file was hosted through a C2 Profile
- Updated the file download process to check if there's an alert notification requested as part of FileHosting and sends the alert
- Updated MythicRPCCallbackEncrypt and MythicRPCCallbackDecrypt to support Payload/Staging UUIDs and C2Profile information
- Updated file downloads so that you can send the first chunk along with the file registration to cut down on a round trip
- along with
total_chunksyou can sendchunk_dataandchunk_numlike normal for the first chunk
- along with
- Fixed a bug in file search that wouldn't return results if you didn't specify a limit
- Fixed the file search to better account for search limits and workflow files
- Updated the processing step output fields to allow more flexibility
- Fixed a bug where all callbacks would have their last checkin reset when restarting Mythic
- Fixed an issue where sometimes the 'success' flag for file browser objects would get reset
- Added additional checks for eventing
- Updated the delegates responses to get added without the get_delegate_tasking check
- Updated the delegate checks for socks/rpfwd/interactive messages to only send delegates if there's data
- Updated interactive tasking to set processed and processing timestamps more consistently
- Updated file download processing to allow -1 total chunks so agents with unknown chunks can start downloads
- Added a new limit_credentials_by_type option to Command Parameters to reduce noise in the UI when using CredentialJson parameter types
- fixed a bug where updating timestamp of linked agents wouldn't unhide it
- Added context to filePreview graphql queries
- Updated the last checkin time for linked agents to match that of the egress agent
- this includes matching "Streaming Now" displays
- Updated the login function to return the user's utc time preference
- Added button to show/hide deleted consuming containers
- Shortened the dial time for rpfwd connections to 5s instead of 30s
- Added option for
idreturn value from create_task eventing
- Updated the logic when downloading files to also update the timestamp on the mythictree entries so that the data is streamed to the UI properly
- Updated the opsec pre and create task response handles to mirror stderr messages to task output so it's easier for operators to see what's wrong
- Many UI Updates check out UI Fixes for 2.0.8
- Many UI Updates check out UI Fixes for 2.0.6
- Fixed a Docker copy with postgres based on its-a-feature#393 when use_volume is true
- Many UI updates check out UI Fixes for 2.0.4
- Updated eventing tasks to properly address when tasks fail and continue on with the eventing steps
- Updated the LimitByCallback field when searching for files to also account of a fileID was used in a task in a callback
- this helps with files that might be uploaded as part of workflows, but still loaded into callbacks
- Fixed how external_ip is fetched from containers to provide a more accurate representation
- help and clear appear in generic
helpoutput - ability to hide callbacks that use the PushOneToMany
- updated Mythic's cookie to use strict same site and http only flags
- tasking input - fixed issue where double options could be presented when using tab
- tasking input - adjusted so complex types (link info, files, payloads, etc) aren't tab-completable
- This reduces some confusion when tab completing command parameters
- expand/hide subtasks in UI that have subtasks
- moved plaintext output expand icon to the left of 1 in text editor instead of in the middle
- fixed an issue where sometimes if a tab was open, clicking the keyboard for a callback wouldn't bring that tab back to focus
- fetch server version dynamically in the UI so it updates more often
- update mythic-cli allowed_ips to apply to all web/scripting routes, not just auth
- this now applies to all routes and sub-routes behind Mythic's local reverse proxy
- cache hasura information and invalidate / re-fetch after any modification to operator operation status
- each request went from 3-10ms to 700-1000micro seconds in processing time
- updated list/edit/delete/upload file features for containers to all containers instead of just C2 containers
- fixed bug where non-utf8 characters in keylog data would error on the page
- function to get graphql schema (or option from Mythic)
schema = await mythic.mythic_utilities.fetch_graphql_schema(mythic=mythic_instance)- This is helpful when trying to do GraphQL via Golang
- only admins can create new operators
- only admins can create new operations
- fix the UI when the width is too small causing the top appbar to take up 2 lines and cover buttons
- now width <1100px will hide some buttons along the top
- after getting logged out, should redirect to where you were via redirect= URL parameter
- updated payloadtype definition to allow specification of UUID length pre-pended to agent messages
- This can be either 16 or 36 and defaults to 36 (the length of the normal UUIDv4 string)
- This makes it possible to have 16 Byte UUIDs used for P2P comms
- updated wrapper builds to not send the wrapped payload bytes via rabbitmq
- HTTP request to mythic made to fetch bytes from container before passing execution off to build function
- no change needed by agent developers
- jupyter access token changed from default 'mythic' to randomized 30 char password
- only affects new installs, but you'll need to fetch this value similar to fetching the hasura secret for GraphQL access
- fixed bug where zipped and downloaded files wouldn't record the final zip size or md5/sha1 hashes
- added button on keylogs page to view all keylogs within a user/host/window combination in your current search window at once
- When sending data back for the file browser,
successis now an optional boolean field - C2 Profile debug output is now also sent to the container's debug output so you don't have to view it through the UI
- Two new fields in agent message for artifacts for
needs_cleanupandresolved - added
process_short_namefield to Callbacks- this is automatically parsed based on the
process_namereturned from agents when they checkin or update their callback information - the
process_short_nameis displayed in the Mythic UI callbacks table, but the fullprocess_nameis shown in the callback detailed metadata view - this allows agents to return the full path to the binary when checking in without worrying about it bloating up the UI
- this is automatically parsed based on the
- light and dark mode agent icon support
- If no dark mode icon is provided, the light mode version is used for both by default on new sync
- There's a new field on payloadtype definitions for a dark mode icon
- MythicRPC call to expose Mythic's way of parsing paths so that agents don't have to do it themselves and it can be standardized
- MythicRPCFileBrowserParsePath
- added task display_id to tasks shown when doing browser script edits so that it's easier to tell the difference
- added an "email" field on operators
- add new ChooseOneCustom parameter type (build, command, and c2) to allow users to choose from list or add new value
- add new FileMultiple parameter type (build, command, and c2) to allow users to select and upload multiple files at once
- new "Last Updated" time in proxy table so you know when data is flowing
- the amount of data transfer updates every 20s
- auto-tag files as you download/preview them so that it's easier to see what has been triaged or not by the team
- all consuming containers now are tracked in the UI specifically and have their own name and description fields that must be set
- This applies to webhooks, loggers, eventing, auth
- A new type of user, a bot account, is now available for creation
- only admins can create new operator accounts and new bot accounts
- bot accounts are not available to login
- a bot account is automatically created for every operation
- bot accounts can be used to take actions in eventing (as long as the operation lead approves it)
- admins are able to generate/view/delete apitokens for bot accounts as well
- Added new
logging.UpdateLogToFileandlogging.UpdateLogToStdoutfunctions to containers- These allow you to dynamically update logging to write to file+stdout or just stdout as needed
mythic_container.logging.update_log_to_fileandmythic_container.logging.update_log_to_stdoutin Python
- Admins can generate one-time-use invite codes to invite somebody to their Mythic server without pre-creating an account
- This is disabled by default but can be enabled in .env or in global settings by admins (MYTHIC_SERVER_ALLOW_INVITE_LINKS)
- Each invite link can be used only once and un-used invite links can be deleted
- Invite links become invalid when the server restarts
- SSO Support via "auth" containers
- can redirect to SSO providers (ExampleContainers has example for ADFS) that provide IDP services
- can process non SSO custom auth as well
- each case must return an email associated with a user that's logged in
- Operators now have email addresses optionally associated with them
- these can be seen via ConsumingServices page
- All containers have an
on_startfunction that gets called when the container starts up- This function is executed once for every operation that's currently running (not deleted and not complete)
- This function gets access to a special JWT APIToken that's scoped to the bot account assigned to the operation
- This JWT is for spectator access (no changes can be made) and only lasts for 5 minutes
- The goal here is to allow some basic configuration to be performed by the container
- New PayloadType attribute
agent_typevalue ofcommand_augment- CommandAugment containers expose custom tasks to other PayloadTypes and are automatically injected into callbacks
- Payload type definitions have a new
CheckIfCallbacksAliveFunction- This gets a list of active callbacks based on this payload type along with their id, last checkin, first checkin, and sleep_info information
- This returns back a list of all the callbacks and an indication if they should be marked as "dead" or not
- "dead" status is reflected by a red skull in the last_checkin column in the callbacks table
- the
sleep_infodata can be updated at any time as a free-form string via MythicRPC or the UI - the
sleep_infodata is also a column you can toggle to view or not in the UI in the callbacks table - Added
SendMythicRPCCallbackNextCheckinRangeRPC call to get basic range for next checkin options based on:- last_checkin, jitter percentage, and sleep interval
- This is provided as a helpful way to reduce duplicated efforts in all payload types checking if
time.Now().UTC()within the possible range
- New Container Type and feature: Eventing
- Eventing button at the top now added to manage eventing workflows
- New docs around eventing added
- Fixed a bug where DynamicQueryParameters weren't getting set on first sync
- Fixed a few of the SendMythicRPC* calls to fetch all the same data as normal agent processing
- Added CallbackDisplayID, PayloadType, IsInteractiveTask, and InteractiveTaskType to RPC Search results and new_task logging data
- Fixed an issue with SendMythicRPCTaskSearch
- Fixed an RPC call for generating a new payload that wasn't calling the right function
- When payloads are built, files hosted, files written, or agent configurations checked, Mythic now restarts a C2 profile's server in case there were updates
- Added a fix for C2Profile Parameter Type of File
- Added support for PushC2OneToMany via gRPC
- Added in a check to support an agent's message_format field for
xmlorjson
- Updated SOCKS to also send any read data even during a read error
- Updated the logging library to just be zerolog and not zerolog/logr which was messing with logging levels
- Removed a section of socks/rpfwd code that resulted in double closure messages getting sent to the agent
- Updated a section of socks to do multiple reads with smaller buffers
- Fixed an issue where rpfwd connections with the same local port wouldn't get tracked on the proxies page as new connections
- Added
xmltags to agent messages for planned native support ofxmlin addition tojsonmessage formats
- Fixed an issue where port usage wasn't getting tracked for new ports
- Added
OperatorUsernameandOperationNameto Callback data sent to tasks
- Updated SOCKS/rpfwd traffic to not double send close connection messages to the agent
- Added "AgentType" field to "PayloadType" database table
- Updated SOCKS initial connection to accept more bytes in case client supports many auth mechanisms
- Updated the processing of agent
responsesfields to return a 200 response with empty data if there's an error processing data
- Fixed a bug where files registered would get a comment with a taskID instead of a task's display id, leading to confusing task numbers
- Added support for exporting and importing c2 profile instances (green save icon next to a c2 profile then export/import)
- Added another check for parsing paths for when a parent_path for the file browser is reported as "path\path"
- Updated the response to a
downloadmessage from an agent to include thechunk_numthe agent sent in the response
-
Added
secretsandpreferencesas fields for theoperatortable- Added migration to add these two fields
- User secrets are now available in:
- payload builds
- new callback functions
- opsec pre
- create tasking
- opsec post
- completion handlers
- dynamic query functions
- The secrets field allows your agent functions to interact with services on behalf of the tasking operator without storing auth tokens on disk
- Updated the callback import feature to also support commands and allow duplicate payloads UUIDs (not duplicate callback UUIDs though)
- Updated SOCKS handling to hopefully prevent a few more cases of deadlocking
- Updated SOCKS/RPFWD/Interactive Tasking to track bytes sent/received through the agent
- Data is streamed to the SOCKS search page
- Data is aggregated on the main dashboard
- UI Fixes
- mythic-cli updates
- Updated file-based routes to also log file_id
- Adjusted the SOCKS handling functions to use non-blocking sends when dealing with channels to help prevent deadlock
- Adjusted the SOCKS channels to have increased capacity
- Added ability to export a callback (via callback dropdown) and import callback (via speeddial on top right of callbacks page)
- Added a new environment variable,
global_server_name, that gets passed down to webhook and logging containers - Added new
mythic-cli config helpsubcommand to get helpful descriptions of all environment variables in .env file - Updated logging to track user_id, username, and source of requests
- Updated internal MITRE ATT&CK to the latest as of 2024-02-06
- Added new file view endpoint to not return files as attachments but just as content to render in the browser easier
- Added more checks for processing completion functions
- Added ability to query and set global settings such as the agent debug message setting from the UI
- Fixed typo
- Updated go modules
- Removed the FileRegister MythicRPC Command
- Updated the FileCreate MythicRPC Command to take in TaskID, PayloadUUID, or AgentCallbackID depending on what the context has available
- Added a
sizefield for FileMeta to track the final size of files uploaded, download, or screenshots - Added a
bytes_receivedand abytes_sentfield for CallbackPorts to eventually track how much data goes through Mythic - Updated the data passed in for DynamicFunctionQueries to have PayloadOS, PayloadUUID, CallbackDisplayID, and AgentCallbackID too
- should help making more informed decisions for which files or dynamic data to present to the user
- Updated the C2 File host webhook to automatically stop and restart a C2 Profile after hosting a file
- Added a new MythicRPC* for getting graph edges associated with a callback
- Added a new MythicRPC* for creating a new task based on AgentCallbackUUID
- associated Operator for this will be the operator associated with the Callback (i.e. the one that made the payload)
- Added new function for a Payload Type for
on_new_callback/onNewCallbackFunctionso that you can take actions based on new callbacks - Fixed bug with attempts to send
alertsincheckinmessage not properly tracking them for the new callback - Support for container version 1.2.0
- Added a check for file transfers when getting null data
- Added a fix for spawning a new callback off a payload through the UI
- Fixed an issue with interactive tasking not working if there wasn't also a port open
- Updated the Dockerfile for Mythic_CLI and mythic-docker for go v1.21 GOPROXY usage changes that broke builds
- Adding missing hasura files that didn't get exported and added for updating operator status on the settings page
- Updated to allow SOCKS/rpfwd message format to specify a
port(uint32) as part of their messages with Mythic- This allows multiple instances of rpfwd per callback with proper tracking for which port to go to
- The
portsent in the messages is the local port the agent binds to for rpwfd
- Updated the rpfwd remote connectivity test to happen in a goroutine and not block registration
- Fixed a bug in the staging_rsa refactor for provided RSA public keys
- Updated some golang packages in mythic_server
- Pulled some PRs for refactoring and beginning of adding unit tests
- Added a new controlled endpoint for managing operator admin, active, and deleted status
- Added new database migration for postgres function to convert callback groups into strings for easier searching
- Fixed bugs in mythic rpc functions for CallbackCreate, CallbackDecryptBytes, CallbackUpdate, and FileCreate
- Adjusted channel size to help with TOCTTOU issue
- Fixed a TOCTTOU bug with the total number of file chunks received when there are parallelized requests to Mythic
- Updated file/process browsers to store/merge information based on host + callback id
- Updated callbacks to have
mythictree_groupsattribute to specify which groups data should be displayed with in the UI - Added new migrations for the above updates
- Adjusted the file writes during
downloadcommands to flush to disk after each chunk
- Fixed a non-idempotent sql migration
- Updated file transfers to Mythic to allow parallel messages from the agent
- Uses golang channels to ensure ordered file writes and f.Seek to get to the right spot in the file
- Updated agent messages to allow %encoding and safe base64 encoding for query parameters
- Updated rpfwd and SOCKS messages to aggregate through a single channel to ensure message order
- Fixed an issue with locks when checking for containers online or not
- Fixed a bug in interactive tasking ports that wouldn't pick up messages for multiple interactive tasks port in a single callback
- Fixed a bad channel close and double close scenario with interactive ports
- Updated the C2 Profile redirector RPC call to add
#in front of all non-redirector messages to help with apache mod_rewrite configs
- Added new build step option for skipped steps (useful if you have conditional builds)
- Added new "Split Tasking view" as a callback dropdown option for viewing tasking
- Updated Graphing library (react-flow)
- Updated UI to React18
- Can now sort by last checkin time on active callbacks page
- New "PushC2" style available for egress C2 Profiles
- Updated with Websocket C2 profile
- Uses gRPC connections between C2 Docker container and Mythic
- New
TypedArrayparameter type available for commands, build parameters, and c2 profile parameters- Useful for generic BoF/COFF style tasking where you need data and a type associated with it
- Data passed down as an array of tuples:
[ [type, value], [type, value] ] - PayloadType Commands need to supply a TypedArray Parsing Function to handle freeform input for typed array values
- ex:
my_bof -bof_args int:5 char*:testing wstring:"this is my string"into proper array of arrays
- ex:
- New "Host File Through C2" option available for all payloads and files via globe icon
- Up to the C2 profile to support the RPC call from Mythic and make the file available though
- Updated with
httpandwebsocketC2 profiles
- Shift+Tab will cycle backwards through options on the tasking CLI
- Event feed format changed and is now also searchable
- "alerts" keyword in responses from agents now allow setting a source, level (info, warning, debug)
- New
send_webhookboolean field to indicate sending a custom webhook notification (even if the level isn't warning) - New
webhook_alertdictionary field for custom data to your webhook that's not displayed to the user in the event log alertstring field is what's displayed to the user in the event log
- New
- Mythic-cli updated to allow options for setting the main UI to listen on IPv4, IPv6, or both
- Agents can now more easily support multiple C2 profiles and have it reflected in the UI
- Still only one instance of each c2 profile, but that will change in future releases
- Updated callback's "update_info" and "checkin" actions so that callbacks can update their own metadata
- New "Interactive" tasking type available to allow follow-on input in a PTY format
- Browser view has limitations compared to a full PTY/TTY since it's still in your browser (supports ASNI colors)
- Non-ANSI color sequence control sequences are ignored in the browser
- Use the new supported_ui_feature
SupportedUIFeatures: []string{"task_response:interactive"},to enable this for your task in the UI - With MythicRPC you can open an "interactive" port with your task which you can connect to with a terminal for full PTY support
- NOTE ALL output is still captured and stored in Mythic and viewable in the UI for the task, so be careful about long-running jobs that dump out a lot of data
- Inputs from the Web UI will appear as "tasks" that you can search. Inputs via the opened port will not appear as tasks.
- Browser view has limitations compared to a full PTY/TTY since it's still in your browser (supports ASNI colors)
- Your issued tasks will auto-expand, so it should reduce a click for tasks that finish immediately (help, clear, script_only)
- File Search page updated to have
BinandStringsviews available without needing to expand the dropdown - Updated
github.com/MythicMeta/MythicContainergolang package andmythic_containerPyPi packages - New database migrations so that you don't have to blow away the database between updates
- Updated user login notification to be debug level (no UI popup)
- Allow dynamic port binding with MythicRPCProxyStart
- specify a LocalPort of 0 for Socks/Interactive ports and the next lowest available port will be used and returned
- Allow dynamic port closing with MythicRPCProxyStop
- specify a LocalPort of 0 for Socks/Interactive ports and Mythic will look up the port based on taskID and port type
- Updated ProxyPorts to track "deleted" status so that they're never actually deleted and can be restarted if needed
- Allows for a better tracking of which callbacks had/have which ports open
- Fixed an issue with the task searching MythicRPC call
- Fixed an issue with redirects for the UI with custom ports
- Fixed sql query error for linked messages
- Updated mythic_server and mythic-cli build processes to incorporate GOPROXY and GO111MODULE build/env settings
- Updated the bulk download zip option to save filenames as HOST_filename_uuid.ext to help with uniqueness in names
- Fixed an issue where with MythicRPCCallbackUpdate failing to find a callback based on task id
- Fixed an issue where linked callbacks were consistently creating new edges
- Fixed an issue where linked nodes 3+ deep weren't getting their tasking
- Fixed an issue where linked nodes weren't getting their token values
- Adjusted the agent message processing to account for agent messages less than 36 bytes long
- Adjusted the rabbitmq piece to force close channels on error
- Added some missing return statements for file uploads on error cases
- Fixed the following RPC functions: agent storage search, artifact search, process search
- Fixed how Mythic leveraged rabbitMQ channels to reduce the channel churn rate and increase throughput dramatically
- Updated Mythic's tasking to support mass-tasking natively without requiring all tasks to happen in sequence
- Fixed an issue with a high volume of new callbacks causing issues with Postgres connections
- Fixed an issue with a high volume of new callbacks resulting in duplicated callback identifiers
- Updated the sqlx connection information to limit the number of concurrent postgres connections
- Updated file browser data to track if a folder
has_childrenor not so that it's easier to track in the UI - Updated file download to not un-set
is_screenshottag based on default values from agents
- Updated the translation container code to only ask the translation container to generate encryption keys if the translation container is doing the encryption (instead of always asking)
- Added
file_namefield to Downloads so that you can report back a filename without necessarily returning a full_remote_path. This is particularly useful for screenshots or downloading things in memory.
- Updated the RPC File Create function to set the host field
- Updated check for marking a callback token as deleted to first fetch the proper token_id
- Updated check for container status to use rabbitmq REST api to port 15672 instead of passively declaring queues
- Updated rabbitmq image to rabbitmq:3-management-alpine to support the above bullet
- Updated the payload builder message to also include a wrapped_payload_uuid field
- Updated the rpfwd logic to not bail out if it can't reach the specified remote ip:port when starting
- Updated the logic for tracking up/down containers to only notify after successful database update
- Updated grpc translation container code to have a larger (maxInt) send/recv limit
- Added a line to reflect back keys from the agent at the "action" level
- MythicRPC calls for creating task and subtask now report back a tasking location of
mythic_rpcinstead ofcommand_line - Update file delete webhook to not error out if the file to be deleted has already been deleted
- Fixed a bug where *nix filepaths might be leading // causing file browser issues
- Fixed bug where deleted files that come back weren't getting marked as not deleted
- Fixed an issue in the UI with timestamps not converting properly between UTC and local time
- Fixed a bug where agents reporting back file browser paths with UNC formats wouldn't get properly ingested
- Fixed a bug where the
get_delegate_taskskey wasn't getting passed to the delegate message check - Fixed a bug where rpfwd messages weren't getting checked for delegate messages
- Removed ability to check number of consumers for logging/webhooks since it caused the messages to roundrobin instead
- Updated the UI to handle boolean parameters with
-paramNameastrueon the CLI - Updated the UI to show number of listeners for consuming services as well as green/orange counts
- Updated Mythic to emit a new
new_responselog type for user_output - Updated the checks for existing containers to re-use rabbitmq channels if possible
- Updated the health check for rabbitmq to just check for ports listening since no alarms are configured
- Fixed an issue when reporting back deleted files that Windows paths with
\\need to be escaped again,\\\\ - Updated task logging to emit when first created and also when task completes
- Added new
alertskey forpost_responsemessages to send alerts to the operation event log - Added new
alertskey for top level messages to send alerts to teh operation event log
- Additional error checking for trying to close SOCKS ports
- Updated some rabbitmq RPC functionality to not return error on timeouts
- Added a check when getting a new callback to see if the payload is deleted, if so then no new callback is created and an alert is thrown to the operator
- Reduced the popup display for some toast notifications when generating tasks
- Attempt to locate and mitigate potential RPC timeout errors
- Updated MythicRPCFileUpdateMessage to allow setting DeleteAfterFetch
- Updated UI to support GenerateIOCs and GenerateSampleMessage for C2 containers
- Updated UI to have icons next to options on the Payloads page so it's easier to find what you're looking for
- Updated UI to not base64 encode browser scripts
- Updated mythic_graphql with new GraphQL endpoint and permissions for c2GetIOC and c2SampleMessage functions
- Fixed an issue with additional information incorrectly mapped to map[string]string instead of map[string]interface{}
- Updated message about out-dated
uploadkey for file transfers to be an informational debug message rather than a warning - Updated Jupyter with mythic==0.1.2
- Updated the task status values to be more representative of what's going on
- Updated go.mod values
- Fixed an issue with the default value for a dictionary not getting populated correctly due to missing struct tags
- Fixed a few things in the UI with linking
- Fixed process browser in the UI not reporting process_id when tasking kill/inject
- Fixed an issue where linked p2p agents would get egress connections in the UI
- fixed an issue with creating saved c2 instances that wouldn't supply default values for non-supplied parameters
- updated the scripting version for the Jupyter Container
- added two new examples in the Jupyter container for c2 profiles
- fixed an issue with missing operation_id for c2 profile instances for payloads
- Reduced the number of toast notifications when syncing or hitting errors with translation containers
- Changed from ParseBytes to FromBytes when attempting to parse a 16 byte UUID instead of a 36 byte string UUID
- Fixed how timeouts work for translation services so that they don't hang internally on channels
- Updated the webhook for creating custom operation event messages to generate sources if none supplied
- Updated to allow users without an operation set to create an operation and create new users
- Fixed an issue when updating operations outside your operation causing an exception
- Two .svg icons for UI dev were ignored via .gitignore, so added them manually back to the repo
- Updated to actual release instead of release candidates for v3.0.0
- Modified MythicRPCProxyStart to support rportfwd
- Updated Dockerfile build to user smaller base images and use multi-stage builds to reduce final size
- Docker images updated:
- itsafeaturemythic/mythic_base_go <-- go1.20 with garble and gRPC
- itsafeaturemythic/mythic_base_python <-- python 3.11 with the latest mythic_container PyPi package installed
- itsafeaturemythic/mythic_go_dotnet <-- mythic_go_base + .NET Core 7.0 SDK, nuget, and the Mono compiler
- itsafeaturemythic/mythic_python_dotnet <-- mythic_python_base + .NET Core 7.0 SDK, nuget, and the Mono compiler
- itsafeaturemythic/mythic_go_macos <-- mythic_go_base + macOS 12.1 SDK
- itsafeaturemythic/mythic_python_macos <-- mythic_python_base + macOS 12.1 SDK
- All docker images now have a rolling
:latesttag that can be used - All docker images (and mythic-cli builds) now work for ARM as well as x86_64
- Fixed an issue with additional attributes not getting captured for commands
- Added
Fileas a valid build parameter type - like files for tasking, this is passed to thebuildfunction as a file UUID - ContainerVersion v1.0.2 has the builder side of this addition
- Docker images updated:
- itsafeaturemythic/mythic_base <-- go1.20 and python 3.11 with the latest mythic_container PyPi package installed
- itsafeaturemythic/mythic_dotnet <-- mythic_base + .NET Core 7.0 SDK, nuget, and the Mono compiler
- itsafeaturemythic/mythic_macos <-- mythic_base + macOS 12.1 SDK
- All docker images now have a rolling
:latesttag that can be used - All docker images (and mythic-cli builds) now work for ARM as well as x86_64
- Updated
mythic-cliwithupdate,save, andloadcommandsupdatecommand simply checks Mythic version, mythic-cli version, and mythic UI version locally against either the main branch or the branch specified with-bsavecommand exports specified docker images to disk for use with load commandloadcommand loads exported docker images into local docker engine (helpful for offline environments)
- Updated UI to allow
crtl+Fwithin more output boxes - Updated Dockerimages
- Updated
mythicPyPi package injupytercontainer tomythic==0.1.0rc9
- Updated agent post_response process dictionary to support
update_deletedkey to mark processes as deleted - Updated agent post_response process dictionary to support
oskey to mark processes aswindows,macOS, orlinux - Updated UI to add new "View Just This Process Tree" option in Info dropdown for process tree view
- Fixed bug with callback graph view's link commands
- Fixed bug with re-added edges in graph view
- Fixed an issue with marking payloads as deleted when linking agents
- Updated the UI for tasking dropdown boxes are full width
- Updated reporting function to generate JSON output in addition to XML
- fixed the UI to version 0.1.0 with an update to include the additional webhook types of alert/custom
- adjusted the test webhook function to handle testing the new alert/custom webhook types
- Fixed an issue where SendMythicRPCFileCreate wasn't setting the is_screenshot or is_download_from_agent fields
- Moved docker templates back out of this repository and to the MythicMeta/Mythic_Docker_Templates repository
- Fixed a bug in file uploads that was causing the sha1 and md5 of payloads to not be recorded
- Updated the payload build and build response to allow for updating the filename as part of the build process
- Added another check in RSA EKE for PKIX format
- Added two new kinds of webhooks - one for alerts in the operation event log and one for custom webhook data
- Added examples of new webhooks in Jupyter notebook
- Updated MythicCLI to allow setting default operation webhook url and webhook channel in addition to operation name from .env file
- Updated MythicCLI to support
-band--branchflags when installing from GitHub
- Updated some json tags on structs to omit unnecessary nested structure parsing with empty values
- Fixed the error message for bad messages to Mythic and added more error logging to the UI
- Added event log notification if a connection is refused due to the IP allow list in the Mythic/.env file
- For file browsing, if an OS type cannot be inferred based on host, path, and parent path, OS is assumed as Windows
- Fixed an issue with the UI sending the wrong host name for file listings
- Fixed an issue with uploaded files treated like folders in the file browser
- Fixed an issue with files marked as "delete after fetch" weren't getting deleted
- Fixed some issues with the UI referring to old element IDs instead of display IDs
- Fixed some issues with MythicRPC Credential and File Searches
- Fixed an issue with RabbitMQ Channels not getting closed after use, resulting in an ID exhaustion
- Added new configuration variable for
mythic_react_debug - Added MythicReactUI code to this repository for easier control and development for the community.
- New image and container are only used when
mythic_react_debugis set totrue, otherwise normal nginx container serving static files is used. - Updated scripting package for Jupyter to mythic==0.1.0rc3
- Updated MythicUI tags to treat http* json fields as clickable links
- Updated mythic-cli to include a version command
- Updated the agent message Get handler to look at first query parameter, first cookie value, and then message body
- Updated mythic-cli to include a check for the docker version >= 20.10.22
- Added more to the report generation for the XML side
- Fixed an issue with bad hasura role for non-admins
- Added caching for container information for checking if containers are online
- Updated file tracking for newly created downloads to populate the file browser as well
- Dynamically update file's chunk_size if none is set by the agent to the size of the first chunk
- Updated the xml reporting a bit further (not done yet)
- Updated processing of agent messages to have a separate case for base64 url encoded messages
- Updated a few issues in the UI
- Fixed many bugs in mythic_rpc_* functionality that was slightly broken with SQL queries
- Prevented agents from auto-triggering their completion functions multiple times
- Added a flag to not show webhook/logger rabbitmq errors on send
- Updated the payload search rpc functionality to also return the build_phase
- Fixed some UI bugs for various command parameter types
- Fixed a bug where an operation's channel wasn't sent down as part of webhook messages, only the url
- updated how socks messaging works internally to mythic (more go channels instead of mutex locks)
- fixed an issue in the UI where bulk callback hides wasn't working
- fixed an issue with socks stop getting caught in deadlocks
- fixed a few pieces of the UI for credentials and callbacks searching
- updated the graphql action for creating credentials so they get emitted to logging as well
- updated nginx reverse proxy to handle ip allow lists as well (so jupyter/docs/graphql all get protection too)
- added cpu limits for a few other services
- Updated the way that callback updates happen so that it's easier with
- fixed an issue with token not getting added for get_tasking requests like in Mythic 2.3.*
- fixed an issue with tokens selected from the UI not making their way through to the payload containers
- fixed an issue with token adding/removing with bad SQL syntax
- updated components for adding/removing/updating operations and operator memberships with new hasura action
- updated some tagging on database structure to make mapstructure decoding better
- updated the mythic rpc callback search functionality to require a callback uuid instead of the callback id since the int id isn't available to translation containers
- Added new graphql endpoints for adding mitre attack to tasks and updating operations
- fixed an issue where the
staging_translationcapability for a translation container was missing - fixed an issue with tasking creation leveraging files not tied to tasks when searched
- updated the database schema to support cascading drops (requires dropping database and creating a new one)
- updated how display_ids are calculated for tasks and callbacks (there was an issue with duplicates once you start deleting tasks/callbacks)
- updated the ui and server to create new tasks/callbacks based on display_id rather than id
- a new endpoint for deleting callbacks and tasks via scripting
- fixed an issue where hasura updated permissions weren't captured to disk
- Updated mythic-cli with mythic_postgres to offer a different postgres.conf file based on if postgres_debug is true
- fixed an issue when loading multiple commands via RPC that it would stop after the first successful one
- fixed some issues with P2P connections and auto-adding routes
- fixed an issue with 16 byte uuid not getting reflected back for agent response (defaulted to always 36 char string)
- fixed an issue with RSA-based EKE where golang libraries require a slightly different format than before. Added code to auto-detect and fix
- fixed an issue where status wouldn't get updated to submitted
- fixed an issue with SOCKS reusing the same ports causing errors
- fixed an issue with mythic-cli stopping all containers instead of just the specified ones
- added a function to mythic-cli to remove intermediate images
- fixed an issue with errors getting overwritten from create_tasking and going to the agent
- fixed an issue with script_only commands always reporting success and going to the agent
- fixed an issue with the outer UUIDs for checkins appearing wrong thanks to BloodHound user Josh Feehs
- fixed a few issues with process_response and complection function messages
- refactored where the automatically updated build steps happened on errors
- fixed an issue where selecting "none" for crypto would result in "" as the type instead of "none"
- fixed issue in command addition that wasn't using $1, $2 for parameterization on database Get request
- fixed issue where mapstructure tag was missing from struct
- updated the token/callback section to remove an instance of TokenID (should be token_id)
- updated the token/callback section to process tokens then callback tokens if both are provided simultaneously
- fixed a few bugs in the UI
- fixed a bug where "none" encryption was reporting back as a string instead of a dictionary
- Allowed wrapper payload types to wrap additional wrapper payload types so that you can nest more payload types
- Updated P2P communications spec to return
mythic_uuidandnew_uuid(same value). Eventuallymythic_uuidwill be removed entirely to help reduce the number of mandatorymythicstrings in agents.