Athena icon indicating copy to clipboard operation
Athena copied to clipboard

Published 20 hours ago verified publisher icon MythicAgents

Using SOCKS on Linux causes CPU utilisation to jump to 100%

Open stephenbradshaw opened this issue 3 years ago • 4 comments

Describe the bug Starting the SOCKS functionality on a Linux deployment of the Athena agent causes CPU utilisation for the Athena process on the agent host to jump to 100%. This persists even if the SOCKS module is stopped. Tested on Ubuntu 16.04 and 20.04 using both the websocket and http C2 profiles.

To Reproduce Steps to reproduce the behavior:

  1. Generate an Athena agent for Linux. I chose all default build parameters, included the socks command to be built into the agent, and included either the websocket or the http C2 profile
  2. Launch the agent on the target Linux system and wait for the active callback
  3. Set sleep delay and jitter to 0 and 0 using the 'sleep' command to provide effective channel for SOCKS traffic
  4. Monitor CPU utilisation using 'top' on the Linux system running the agent while running a few random commands on the agent through from the Mythic UI to simulate activity - utilisation on the Athena process is around 1-4% at this point during my testing
  5. Run the 'socks' command on the agent to start a SOCKS proxy on port 7000 or similar - observe utilisation on the Athena process which immediately jumps to around 100%
  6. Stop the SOCKS proxy using the 'socks stop' command. Observe utilisation on the Athena process which remains at around 100% until the process is killed

Expected behavior CPU utilisation for the process is less than 100%

Happy to provide more info as required

stephenbradshaw avatar Feb 18 '22 05:02 stephenbradshaw

Weird, I don't even know where to start with this, but I'll take a look. Thanks!

checkymander avatar Feb 22 '22 15:02 checkymander

Id be happy to help further with this, e.g. with more intensive testing and/or code fixes/PR depending on what you need, however wont have the bandwidth to do so for probably a few weeks (sorry). Will jump back in at that point if you still need an assist

stephenbradshaw avatar Feb 23 '22 07:02 stephenbradshaw

Appreciate it, I plan on looking at it today, so hopefully I figure it out. But any help is appreciated :)

checkymander avatar Feb 23 '22 15:02 checkymander

I know it's been a while, but I think I have an idea on the cause of this now. So once I can figure out the fix I'll be able to implement it

checkymander avatar May 20 '22 16:05 checkymander

I've just overhauled the socks profile functionality with custom stuff, from my testing it's been pretty resource friendly. So this should be fixed now.

checkymander avatar May 22 '23 13:05 checkymander