Mythic icon indicating copy to clipboard operation
Mythic copied to clipboard

Published 20 hours ago verified publisher icon its-a-feature

Better visualization for alive/stalled/dead callbacks.

Open timukas opened this issue 1 year ago • 2 comments

Hello,

Each payload's profile has interval and jitter option, which defines how often it calls back to C2.

On 'Active Callbacks' page (table view) there is 'Last Checkin' column, which shows when corresponding callback had last connection with Mythic.

IMO, main table view should somehow distinguish if connection is 100% alive or 'almost 100% dead'.

E.g. interval + max.jitter + 10 seconds = 120 seconds. If last checkin is smaller than 120 seconds, then it marked as alive. If last checking bigger than (interval + max.jitter + 10 seconds ) * 10, then mark it as not-alive.

Connection status can be some icon (e.g. green, yellow or red) or some background color. And column filtering could be also implemented. So then you can easily filter out alive/not-alive callbacks.

timukas avatar Nov 22 '23 14:11 timukas

There's a few tough things about that though:

  • Mythic doesn't inherently know what an agent's sleep or jitter times are (you could make your own c2 profile)
  • Sleep intervals might not exist (Push C2 or P2P agents)
  • Intervals might be more than just "seconds +- jitter%" (some agents could have working hours or additional components that feed into when an agent checks in)
  • Agents can use multiple C2 profiles at a time, each with their own sleep intervals (ex: poseidon can be compiled with http, dynamichttp, and websocket all at once)

You can already sort by last checkin time, so what additional benefit does that give you? Now, one thing that might be useful is having a way to ask the payload container when the next checkin could be. So, you click that blue clock icon and it shows you what the agent says the sleep is, and mythic sends a request to that payload's container that says "given this information, when would you expect the next checkin to be"

its-a-feature avatar Nov 22 '23 14:11 its-a-feature

Yeah, i agree with your bullet-points. Looks pretty hard to implement something meaningful, which covers all possible scenarios.

Sorting by last checkin time works in most of my cases. I know more/less interval for callbacks and after sorting, i just hide callbacks which way over interval time.

timukas avatar Nov 23 '23 20:11 timukas

This feature will be available in the next release. Every minute Mythic will look at all of the active callbacks and which payload type they're based on. Mythic will then send a message to each payload type container with information about all of that payload type's callbacks and invoke a new function where the payload type container can identify if the agent is likely to be "alive" or not. Who better to know the intricacies of how an agent's sleep interval works than the container that created the agent.

its-a-feature avatar Jul 02 '24 12:07 its-a-feature