S0699 Mythic
Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is designed to “plug-n-play” with various agents and communication channels.234 Deployed Mythic C2 servers have been observed as part of potentially malicious infrastructure.1
| Item | Value |
|---|---|
| ID | S0699 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 26 March 2022 |
| Last Modified | 18 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Mythic supports HTTP-based C2 profiles.4 |
| enterprise | T1071.002 | File Transfer Protocols | Mythic supports SMB-based peer-to-peer C2 profiles.4 |
| enterprise | T1071.004 | DNS | Mythic supports DNS-based C2 profiles.4 |
| enterprise | T1119 | Automated Collection | Mythic supports scripting of file downloads from agents.4 |
| enterprise | T1132 | Data Encoding | Mythic provides various transform functions to encode and/or randomize C2 data.4 |
| enterprise | T1030 | Data Transfer Size Limits | Mythic supports custom chunk sizes used to upload/download files.4 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Mythic supports SSL encrypted C2.4 |
| enterprise | T1008 | Fallback Channels | Mythic can use a list of C2 URLs as fallback mechanisms in case one IP or domain gets blocked.4 |
| enterprise | T1095 | Non-Application Layer Protocol | Mythic supports WebSocket and TCP-based C2 profiles.4 |
| enterprise | T1572 | Protocol Tunneling | Mythic can use SOCKS proxies to tunnel traffic through another protocol.4 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.001 | Internal Proxy | Mythic can leverage a peer-to-peer C2 profile between agents.4 |
| enterprise | T1090.002 | External Proxy | Mythic can leverage a modified SOCKS5 proxy to tunnel egress C2 traffic.4 |
| enterprise | T1090.004 | Domain Fronting | Mythic supports domain fronting via custom request headers.4 |
References
-
Insikt Group. (2022, January 18). 2021 Adversary Infrastructure Report. Retrieved March 25, 2022. ↩
-
Thomas, C. (2018, July 4). Mythic. Retrieved March 25, 2022. ↩
-
Thomas, C. (2020, August 13). A Change of Mythic Proportions. Retrieved March 25, 2022. ↩
-
Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩