aryma/Ares-mythic
1
0
Fork 0
mirror of https://github.com/Aryma-f4/Ares-mythic.git synced 2026-06-12 13:54:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Aryma
2026-04-14 12:17:24 +07:00
commit 2f05f67733
799 changed files with 531884 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
documentation-payload/apollo/c2_profiles/HTTP.md Normal file
View File

@@ -0,0 +1,56 @@
+++
title = "HTTP"
chapter = false
weight = 102
+++
## Summary
Basic profile to send and receive taskings from Mythic over the hyper text transfer protocol.
### Profile Options
#### GET Requests
Currently the agent does not support any parameters in regards to GET parameters.
#### Callback Host
The URL for the redirector or Mythic server. This must include the protocol to use (e.g. `http://` or `https://`).
#### Callback Interval in seconds
Time to sleep between agent check-in.
#### Callback Jitter in percent
Randomize the callback interval within the specified threshold. e.g., if Callback Interval is 10, and jitter is 20, Apollo will call back randomly along the interval 8 and 12 seconds.
#### Callback Port
The port at which the web server Apollo reaches out to lives on (80, 443, etc.)
#### Crypto type
Do not modify from aes256_hmac
#### GET request URI
The path on the web server Apollo will talk to
#### HTTP Headers
A dictionary of key-value pairs Apollo will attempt to use in web requests. Of note, Domain Fronting does not work in this profile configuration due to the .NET object used to create web requests.
#### Kill Date
The date at which the agent will stop calling back.
#### Name of the query parameter for GET requests
The included URL parameter, if any, used in GET requests
#### Performs Key Exchange
Perform encrypted key exchange with Mythic on check-in. Recommended to keep as T for true.
#### Proxy Host
If specified, must be of the same format as the Callback Host (e.g., `http://proxy.gateway`)
#### Proxy Password
The password used to authenticate to Proxy Host.
#### Proxy Port
The port at which Proxy Host is served.
#### Proxy Username
The username used to authenticate to the Proxy Host.

515
documentation-payload/apollo/c2_profiles/HTTPX.md Normal file
View File

@@ -0,0 +1,515 @@
+++
title = "HTTPX"
chapter = false
weight = 103
+++
## Summary
Advanced HTTP profile with malleable configuration support and message transforms for enhanced OPSEC. Based on the httpx C2 profile with extensive customization options.
### Profile Options
#### Callback Domains
Array of callback domains to communicate with. Supports multiple domains for redundancy and domain rotation.
**Example:** `https://example.com:443,https://backup.com:443`
#### Domain Rotation
Domain rotation pattern for handling multiple callback domains:
- **fail-over**: Uses each domain in order until communication fails, then moves to the next
- **round-robin**: Cycles through domains for each request
- **random**: Randomly selects a domain for each request
#### Failover Threshold
Number of consecutive failures before switching to the next domain in fail-over mode.
**Default:** 5
#### Callback Interval in seconds
Time to sleep between agent check-ins.
**Default:** 10
#### Callback Jitter in percent
Randomize the callback interval within the specified threshold.
**Default:** 23
#### Encrypted Exchange Check
**Required:** Must be true. The HTTPX profile uses RSA-4096 key exchange (EKE) for secure communication and cannot operate without it. This ensures all traffic is encrypted with client-side generated keys.
**Default:** true (Cannot be disabled)
#### Kill Date
The date at which the agent will stop calling back.
**Default:** 365 days from build
#### Raw C2 Config
JSON configuration file defining malleable profile behavior. If not provided, uses default configuration.
### proxy_host
Proxy server hostname or IP address for outbound connections.
**Example:** `proxy.company.com`
### proxy_port
Proxy server port number.
**Example:** `8080`
### proxy_user
Username for proxy authentication (if required).
### proxy_pass
Password for proxy authentication (if required).
### domain_front
Domain fronting header value. Sets the `Host` header to this value for traffic obfuscation.
**Example:** `cdn.example.com`
### timeout
Request timeout in seconds for HTTP connections.
**Default:** `240`
## Security: RSA Key Exchange (EKE)
The HTTPX profile implements EKE using client-side generated RSA keys for secure communication:
- **RSA Key Size:** 4096-bit key pairs generated on the agent side
- **Exchange Process:** Agent generates an RSA keypair and sends the public key to Mythic, which responds with an encrypted session key
- **Security:** All communication is encrypted using this negotiated session key
- **Requirement:** EKE is mandatory and cannot be disabled in the HTTPX profile
This ensures that even if the communication is intercepted, without the private key on the agent, the traffic remains encrypted.
## Malleable Profile Configuration
The httpx profile supports extensive customization through malleable profiles defined in JSON format.
### Configuration Structure
```json
{
"name": "Profile Name",
"get": {
"verb": "GET",
"uris": ["/api/status", "/health"],
"client": {
"headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
},
"parameters": {
"version": "1.0",
"format": "json"
},
"message": {
"location": "query",
"name": "data"
},
"transforms": [
{
"action": "base64",
"value": ""
}
]
},
"server": {
"headers": {
"Content-Type": "application/json",
"Server": "nginx/1.18.0"
},
"transforms": [
{
"action": "base64",
"value": ""
}
]
}
},
"post": {
"verb": "POST",
"uris": ["/api/data", "/submit"],
"client": {
"headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Content-Type": "application/x-www-form-urlencoded"
},
"message": {
"location": "body",
"name": ""
},
"transforms": [
{
"action": "base64",
"value": ""
}
]
},
"server": {
"headers": {
"Content-Type": "application/json",
"Server": "nginx/1.18.0"
},
"transforms": [
{
"action": "base64",
"value": ""
}
]
}
}
}
```
### Message Locations
Messages can be placed in different parts of HTTP requests:
- **body**: Message in request body (default for POST)
- **query**: Message as query parameter
- **header**: Message in HTTP header
- **cookie**: Message in HTTP cookie
### Transform Actions
The following transform actions are supported:
#### base64
Standard Base64 encoding/decoding.
#### base64url
URL-safe Base64 encoding/decoding (uses `-` and `_` instead of `+` and `/`).
#### netbios
NetBIOS encoding (lowercase). Each byte is split into two nibbles and encoded as lowercase letters.
#### netbiosu
NetBIOS encoding (uppercase). Each byte is split into two nibbles and encoded as uppercase letters.
#### xor
XOR encryption with specified key.
**Example:**
```json
{
"action": "xor",
"value": "mysecretkey"
}
```
#### prepend
Prepend data with specified value.
**Example:**
```json
{
"action": "prepend",
"value": "prefix"
}
```
#### append
Append data with specified value.
**Example:**
```json
{
"action": "append",
"value": "suffix"
}
```
### Transform Chains
Transforms are applied in sequence. For client transforms, they are applied in order. For server transforms, they are applied in reverse order to decode the data.
**Example Transform Chain:**
```json
"transforms": [
{
"action": "xor",
"value": "secretkey"
},
{
"action": "base64",
"value": ""
},
{
"action": "prepend",
"value": "data="
}
]
```
## Example Malleable Profiles
### Microsoft Update Profile
```json
{
"name": "Microsoft Update",
"get": {
"verb": "GET",
"uris": [
"/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
"/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab"
],
"client": {
"headers": {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate",
"Connection": "Keep-Alive",
"Cache-Control": "no-cache",
"User-Agent": "Microsoft-CryptoAPI/10.0"
},
"parameters": null,
"message": {
"location": "query",
"name": "cversion"
},
"transforms": [
{
"action": "base64url",
"value": ""
}
]
},
"server": {
"headers": {
"Content-Type": "application/vnd.ms-cab-compressed",
"Server": "Microsoft-IIS/10.0",
"X-Powered-By": "ASP.NET",
"Connection": "keep-alive",
"Cache-Control": "max-age=86400"
},
"transforms": [
{
"action": "xor",
"value": "updateKey2025"
},
{
"action": "base64",
"value": ""
},
{
"action": "prepend",
"value": "MSCF\u0000\u0000\u0000\u0000"
},
{
"action": "append",
"value": "\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000"
}
]
}
},
"post": {
"verb": "POST",
"uris": [
"/msdownload/update/v3/static/feedbackapi/en/feedback.aspx"
],
"client": {
"headers": {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate",
"Connection": "Keep-Alive",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Microsoft-CryptoAPI/10.0"
},
"parameters": null,
"message": {
"location": "body",
"name": "feedback"
},
"transforms": [
{
"action": "xor",
"value": "feedbackKey"
},
{
"action": "base64",
"value": ""
}
]
},
"server": {
"headers": {
"Content-Type": "text/html; charset=utf-8",
"Server": "Microsoft-IIS/10.0",
"X-Powered-By": "ASP.NET",
"Connection": "keep-alive",
"Cache-Control": "no-cache, no-store"
},
"transforms": [
{
"action": "xor",
"value": "responseKey"
},
{
"action": "base64",
"value": ""
},
{
"action": "prepend",
"value": "<!DOCTYPE html><html><head><title>Feedback Submitted</title></head><body><div>"
},
{
"action": "append",
"value": "</div><script>setTimeout(function(){window.location.href='https://www.microsoft.com';},500);</script></body></html>"
}
]
}
}
}
```
### jQuery CDN Profile
```json
{
"name": "jQuery CDN",
"get": {
"verb": "GET",
"uris": [
"/jquery-3.3.0.min.js"
],
"client": {
"headers": {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate",
"Connection": "Keep-Alive",
"Keep-Alive": "timeout=10, max=100",
"Referer": "http://code.jquery.com/",
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
},
"parameters": null,
"message": {
"location": "cookie",
"name": "__cfduid"
},
"transforms": [
{
"action": "base64url",
"value": ""
}
]
},
"server": {
"headers": {
"Cache-Control": "max-age=0, no-cache",
"Connection": "keep-alive",
"Content-Type": "application/javascript; charset=utf-8",
"Pragma": "no-cache",
"Server": "NetDNA-cache/2.2"
},
"transforms": [
{
"action": "xor",
"value": "randomKey"
},
{
"action": "base64",
"value": ""
},
{
"action": "prepend",
"value": "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */"
},
{
"action": "append",
"value": "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"
}
]
}
},
"post": {
"verb": "POST",
"uris": [
"/jquery-3.3.0.min.js"
],
"client": {
"headers": {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate",
"Referer": "http://code.jquery.com/",
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
},
"parameters": null,
"message": {
"location": "body",
"name": ""
},
"transforms": [
{
"action": "xor",
"value": "someOtherRandomKey"
}
]
},
"server": {
"headers": {
"Cache-Control": "max-age=0, no-cache",
"Connection": "keep-alive",
"Content-Type": "application/javascript; charset=utf-8",
"Pragma": "no-cache",
"Server": "NetDNA-cache/2.2"
},
"transforms": [
{
"action": "xor",
"value": "yetAnotherSomeRandomKey"
},
{
"action": "base64",
"value": ""
},
{
"action": "prepend",
"value": "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */"
},
{
"action": "append",
"value": "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"
}
]
}
}
}
```
## Migration from HTTP Profile
To migrate from the basic HTTP profile to httpx:
1. **Update C2 Profile**: Change from "http" to "httpx" in your payload configuration
2. **Configure Domains**: Set callback domains instead of single callback host
3. **Add Malleable Profile**: Upload a JSON configuration file via the "Raw C2 Config" parameter
4. **Test Configuration**: Verify the profile works with your infrastructure
## OPSEC Considerations
- Use realistic User-Agent strings that match your target environment
- Choose URIs that blend with legitimate traffic patterns
- Implement appropriate transforms to obfuscate communication
- Consider domain rotation for redundancy and evasion
- Test profiles against network monitoring tools
- Use HTTPS endpoints when possible
- Implement proper error handling and fallback mechanisms
## Troubleshooting
### Common Issues
1. **Transform Errors**: Ensure transform chains are properly configured and reversible
2. **Domain Resolution**: Verify all callback domains are accessible
3. **Profile Validation**: Check JSON syntax and required fields
4. **Header Conflicts**: Avoid conflicting or invalid HTTP headers
### Debug Tips
- Start with simple base64 transforms before adding complex chains
- Test profiles with small payloads first
- Use network monitoring tools to verify traffic patterns
- Check server logs for any configuration issues

44
documentation-payload/apollo/c2_profiles/SMB.md Normal file
View File

@@ -0,0 +1,44 @@
+++
title = "SMB"
chapter = false
weight = 102
+++
## Summary
Peer-to-peer communication over a named pipe. This enables C2 traffic to traverse over SMB within an internal network before egressing traffic through an HTTP Apollo agent to the Mythic server.
Install via:
```
mythic-cli install github https://github.com/MythicC2Profiles/smb.git
```
### C2 Workflow
{{<mermaid>}}
sequenceDiagram
participant Mythic
participant Egress Agent
participant P2P Agent
Egress Agent->>Mythic: POST to receive taskings from server
Mythic-->>Egress Agent: send taskings in server response
Egress Agent->>P2P Agent: send taskings over Named Pipe
P2P Agent->>Egress Agent: send task response over Named Pipe
Egress Agent->>Mythic: POST task response to server
Mythic-->>Egress Agent: send task status in server response
Egress Agent->>P2P Agent: send server response over Named Pipe
{{< /mermaid >}}
### Profile Options
The SMB C2 profile is designed to be used for internal network communication, and therefore will need to egress from a network through an agent using the HTTP C2 profile. All HTTP agents have the ability to communicate with SMB agents and manage peer-to-peer connections using the `link` and `unlink` commands.
### Profile Options
#### Crypto type
Leave as aes256_hmac.
#### Named Pipe
The name of the created name pipe to use for agent communication. Recommended to use the randomly generated UUID provided.
#### Kill Date
The date at which the agent will stop calling back.
#### Perform Key Exchange
Perform encrypted key exchange with Mythic. Recommended to leave as T for true.

39
documentation-payload/apollo/c2_profiles/TCP.md Normal file
View File

@@ -0,0 +1,39 @@
+++
title = "TCP"
chapter = false
weight = 102
+++
## Summary
Peer-to-peer communication over a network socket. Apollo will bind to a specified port and await an incoming link request before establishing communications back to Mythic.
### C2 Workflow
{{<mermaid>}}
sequenceDiagram
participant Mythic
participant Egress Agent
participant P2P Agent
Egress Agent->>Mythic: POST to receive taskings from server
Mythic-->>Egress Agent: send taskings in server response
Egress Agent->>P2P Agent: send taskings over Named Pipe
P2P Agent->>Egress Agent: send task response over Named Pipe
Egress Agent->>Mythic: POST task response to server
Mythic-->>Egress Agent: send task status in server response
Egress Agent->>P2P Agent: send server response over Named Pipe
{{< /mermaid >}}
### Profile Options
The TCP C2 profile is designed to be used for internal network communication, and therefore will need to egress from a network through an agent using the HTTP C2 profile. All HTTP agents have the ability to communicate with TCP agents and manage peer-to-peer connections using the `link` and `unlink` commands.
### Profile Options
#### Crypto type
Leave as aes256_hmac.
#### Port to start Apollo on
Self explanatory. Note: If medium integrity or lower, this will prompt a request to allow the binary to bind on the specified port.
#### Kill Date
The date at which the agent will stop calling back.
#### Perform Key Exchange
Perform encrypted key exchange with Mythic. Recommended to leave as T for true.

18
documentation-payload/apollo/c2_profiles/_index.md Normal file
View File

@@ -0,0 +1,18 @@
+++
title = "C2 Profiles"
chapter = true
weight = 20
pre = "<b>3. </b>"
+++
# Available C2 Profiles
Apollo supports multiple C2 profiles for different communication methods and OPSEC requirements:
- **HTTP**: Basic HTTP communication profile
- **HTTPX**: Advanced HTTP profile with malleable configuration
- **SMB**: Named pipe communication over SMB
- **TCP**: Direct TCP socket communication
- **WebSocket**: Real-time bidirectional WebSocket communication
{{% children %}}

44
documentation-payload/apollo/c2_profiles/websocket.md Normal file
View File

@@ -0,0 +1,44 @@
+++
title = "websocket"
chapter = false
weight = 102
+++
## Summary
The `Apollo` agent can use websockets to support getting tasks and returning task data. The profile supports both `Poll`and `Push` tasking types. System proxies are supported.
### Profile Options
#### Tasking type
Choose between Poll (periodic check-ins like HTTPS profiles) or Push tasking types. Push is recommended.
#### Callback Host
The URL for websocket redirector or Mythic server. This must include the protocol to use (e.g. `ws://` or `wss://`).
#### Callback Interval in seconds
Time to sleep between agent check-in, only relevant for the `Poll` tasking type.
#### Callback Jitter in percent
Randomize the callback interval within the specified threshold. e.g., if Callback Interval is 10, and jitter is 20, Apollo will call back randomly along the interval 8 and 12 seconds. Only relevant for the `Poll` tasking type.
#### Callback Port
The port at which the web server Apollo reaches out to lives on (80, 443, etc.)
#### Crypto type
Do not modify from aes256_hmac.
#### Host header
The Host header for the initial HTTP request, can be used to support domain fronting.
#### Kill Date
The date at which the agent will stop calling back.
#### Performs Key Exchange
Perform encrypted key exchange with Mythic on check-in. Recommended to keep as T for true.
#### User Agent
Provide a custom user agent used in the initial HTTP request in order to set up the websocket.
#### Websockets Endpoint
The endpoint used for the initial upgrading of the HTTP connection to websockets.