Mythic UI improvements (ideas).

[timukas]

Hi,

Recently i used Mythic in large scale test environment. By the end of test i had almost 300 callbacks in total and around 60-70 were online. Total amount of executed task around 2500. For payload i used only poseidon elfs (so far it's most stable).

Here're couple things which came out during tests.

1. Task multiple popup could have some search/filtering/sorting option on top. You enter some keyword/part of IP address/group name and callbacks are limited to filtering results.
   With large amount of callbacks it's not very easy to find callbacks where you want to execute some commands.
   Also showing IP and/or group name/description next to each callback would make popup look much more intuitive.

2. Hide multiple popup could have sorting option by last checkin (and may be same filterings as in 'task multiple' popup. Then you can quickly sort/filter callbacks, pick 'dead' ones and move them to the right panel.

3. Change callback description in main table view by double clicking the cell.
   Would be a nice timesaver if there're many callbacks and you need to change description often.

4. Shown columns in main callback table view could be persistent per user.
   If you remove some columns from main view, then it stays the same, without resetting to default column list.

5. Hide unneeded tasks from callback split view or interactive callback table.
   Something similar to hiding callbacks.

7. Task list could have more information next to each task. May be IP/group name(s)?

8. File browser & process browser logic is weird.
   If i open file browser from "callback 10", it will show a tree of all callbacks where "ls" command was executed.
   Now if i view the files for "callback 6" and want to download it from file browser, then it downloads the file from "callback 10".

What is the reason to show other callback files if you cannot download them or do 'task listing'?

9. Cannot find the correct format for changing callback sleep values from 'sleep information' popup.
   Tried different options, but nothing worked.
   Any hints on that?

Mythic is very cool! I see a lot of improvements there.

I'm predicting bright future to Mythic ;)

[its-a-feature]

Thanks for so much feedback! Let's see if I can address some:

1. adding a filter along with some more information there is a great idea. I'm not even 100% convinced that the left vs right move piece is the best fit for something like that.
2. same as 1
3. out of curiosity, why are you changing the description often? what kinds of data are you saving in that callback description? By default, when you get a new callback based on payload X, the description for that callback is set to the same description from payload X. If it's just because the default description is bad on the payload, you could always change it on the payload and have it update for every new callback
4. 🤔 The columns shown/hidden should be consistent per user on the same browser. So, if you hide some columns, close your browser/tab, and log back in on that browser to that same url, it should be loading your changes from before. If that's not the case, then that's a bug. Or are you moving to a different browser/host? In that case, because those settings are saved in the local cache of your browser, they won't move with you right now.
5. You can actually do this now. If you look at your tasking bar you have the little blue arrow at the right, but there's also a settings icon. Click that and you can exclude certain tasks, only show certain tasks, even limit which tasks you see based on who issued them. Is there something more granular there that you're looking for?
6. There doesn't seem to be a 6th bullet
7. I can definitely look into adding more information there, but I think i'll make it a UI configurable setting. I don't want those task display lines to get too bloated with a bunch of information.
8. So, if you click to view the file browser/process browser from callback 10, then all of your actions will happen from callback 10. You'll see the entire view of the data that Mythic knows about, but you'll be acting from the context of callback 10. It used to be the case that if callback 6 reported the data then by default Mythic would task callback 6 to download the file even though you're looking with callback 10. However, that quickly became annoying for users because what if callback 6 is dead now? You'd need to change which callback you're tasking over and over and over again. Just no that if you're browsing from callback 10, all of your actions will happen from callback 10.
9. what you're viewing there is just a way to view sleep information about a callback that reports it back. You're not actually changing anything there. The submit is just changing that description. It's not tasking the agent to update the sleep. One of the main things I would see people do with other C2 frameworks is update the description of their callback to match the current sleep time of the agent so that they could know if it was missing checkins or if it was expected to not check in for hours at a time. In order to open up the description field to be more useful, I added a column where you can view just the sleep data for a callback. If it's blue, that means that the agent has reported back sleep information. If it's orange, then that means the callback hasn't reported back any sleep information. In order to actually change the sleep, you'll need to issue a command to the agent (likely called sleep).

[timukas]

1. Left<->right moves looks fine, but may be just because i'm already used to them ;) . If there're some other ways to make multiple actions more convenient, then it's up to you.

2. Same as 1

3. I have sometimes hints/texts to other team mates (or to myself) regarding the callbacks. Currently it's all doable with existing flow (click on callback, pick 'edit description' and set/modify text), but doing it for many callbacks it's a bit time consuming. But this is more like my own wish, not sure if someone else needs to modify descriptions as i do.

4. Clear with that. Within same browser hidden/shown columns displayed properly. Only thing i've noticed with columns, if you resize them, then logout/login (in same browser) will set column width to the default one, not the width i've set before logout.

Set custom width to some columns:

After relogin width set to default:

5. Checked settings icon options (Filter Which Tasks Are Visible). One option could be added there is to filter tasks by status. E.g i want to see only tasks which are "agent processing" and "completed".
   Btw, similar already exists in global task table (but only 1 status can be set):

Another feature could be quickly clean up all the filters. Currently you have to uncheck all selected commands.

6. "This bullet intentionally left blank" ;)

7. Agree. Too much information not always needed, but if it can be configurable what to show - that would be awesome.

8. Just updated mythic-GUI to 0.1.36. Will play a bit with it and write you later.

9. Clear with that.

[timukas]

8. Did first quick test for updated 'File Browser'.

Imho, this is very useful improvement. Now you can select file browser from any callback and list new files/folder for other callbacks!

ps. Very cool feature, thanks for finding time to implement it.

[timukas]

Had another 'test-run' for Mythic. Here're some ideas/observations from me and my team mates:

1. Group names in grouping popup can be sorted alphabetically/numerically.
   With large list of groups (especially with static prefix and changing last digit 1,2,3) it takes some time to find desired group name.

I'm not sure where to put 'Default', may be keep it first in the dropdown and then rest of own group names.

2. Tasks tab (under 'Search Operation') can show most recent tasks on the first page (same as with callbacks, files, artifacts etc.).
   It will make navigation faster and same way as on other tabs.

3. For some reasons "Hide multiple' popup does not show anymore 'last checkin' for callbacks.
   Very useful feature to see long 'last checkins' and quickly pick desired callbacks to hide.

4. Currently callback group name search is case sensitive. And full group name is expected.
   Allowing to search case-insensitive and with partial word would make search more convenient.

5. Task view 'Include more tasks' does not work as it should.
   I have callback '54' with several tasks: 279, 306 and 331.

Now, when i open task '306' in the 'Task View' and then in 'Include more tasks' set following options:

Nothing is added to the list of task. Only task 306 is shown. But based on search options -+100 tasks from same callback should show 2 more tasks in the list.

Now, if i select search type 'All callbacks' (pre and post both set to 100), then i get list of -100 and +100 tasks. But
task '306' is not on the list.

6. Tasks could have an IP address (and may be also hostname) next to task id/ callback id.

As an ugly work-around, i add shell command, which shows ip address of the target. But it only works for shell/run commands.
Another thing i do is adding some random number with echo command. And in notepad i keep track of those numbers and commands.
Later i can search for tasks where 'parameters' is my unique number and get just what i need.

7. Tasks search drop down could have 'Group" option, to search for tasks from specific callback groups.

[its-a-feature]

Love the feedback! Keep it coming :) Let's see if I can address some of these:

1. Yup, definitely can sort them for that dropdown
2. Yup, those can definitely be flipped in the order they're shown
3. Oh interesting, must have been something I was doing to fix the styling in the last update. I'll look into it and get that to come back along with some search/filter options for those task multiple/hide multiple modals
4. The groups are stored as an array, so I was simply doin a check to see if the array contains the thing you typed. I can see how that might not be how many people would use it though. I just adjusted it and added a postgres function that'll convert the array to a string so we can do case insensitive searches on it (that'll be in the next update)
5. I'll look into that and see what's going on
6. It's on my list for the next update to add a few more user-specific options for things to include with that task label (ex: ip and host).
7. I can add that search functionality for tasks to filter by group. I think it would be natural to add the Group search piece to everything that can be tied back to a specific callback (ex: tasks, files, credentials, keylogs, artifacts, tokens, processes)

[timukas]

• Logged in user can lock him out by marking him inactive in settings.

The only way to get access back, is to go directly to DB and modify admin value from 'False' to 'True';

Same with "Admin" rights of the user. You can revoke them from yourself and cannot set back in GUI. Only through the database.

Imho, there should be some check/protection, which disallows revoking own admin rights and disabling own access.

[its-a-feature]

Good catch, I'll roll that into the next update

[its-a-feature]

I haven't gotten to everything, but I did just make a push with a few fixes / updates:

• in the task filtering settings i added a toggle where you can hide tasks that errored out
• you can search tasks via callback id or callback group now (case insensitive string)
• callbacks can be searched by callback group now as well (case insensitive string)
• updated the settings page and backing code so that you can't edit your own admin, active, or deleted status and there must always be at least one active admin that's not deleted. I also updated the UI to help make that a bit clearer
• Tasks search is flipped in the order shown
• Callback groups are sorted when you try to add a new one (with Default always on top)
• in your settings page, there's a button for UI preferences. In there, there's now toggles to show IP, hostname, and callback groups on your task data
• I think i fixed all the issues with the task view page when you were trying to add surrounding tasks

I haven't yet:

• adjusted the hide multiple / task multiple modal (that's next on the list)

[timukas]

This is very cool list of UI updates! Appreciate your efforts.

Tested them and all works well.

[its-a-feature]

I just pushed a new UI version (v0.1.40) that updates the task multiple and hide multiple modals. I added the last checkin information back and switched them to paginated tables instead of the transfer list. That'll allow you to sort by any of the columns and even filter the data down much easier

[timukas]

Wow! That new multiple hide/task interface looks awesome!
Columns, filtering, sorting very intuitive and easy to navigate.

$0.02 from my side:

1. Task multiple checkin time column is not showing correct time. For me all times are 17 hours.
   But Hide multiple checkin times are correct.

Hide multiple correct times:

Task multiple incorrect times:

2. Columns could have an IP address. Currently with same hostnames hard to pick right callback.

[its-a-feature]

Good catch, fixed that last checkin time and added an ip address column to those two dialogs in the UI v0.1.41.

[timukas]

Checked v0.1.41. Perfect update. New task/hide multiple popups has cool filtering options. Me gusta! ;)

P.s noticed 1 thing with task multiple.
If i run 'sleep {"interval":13,"jitter":8}' from task multiple, then i get following errors in poseidon logs:

{"level":"error","error":"Too many arguments, expecting two","func":"github.com/MythicMeta/MythicContainer/rabbitmq.prepTaskArgs","line":584,"command Name":"sleep","time":"2023-12-25T18:03:39Z","message":"Failed to run ParseArgString function"}
{"level":"error","error":"Too many arguments, expecting two","func":"github.com/MythicMeta/MythicContainer/rabbitmq.prepTaskArgs","line":584,"command Name":"sleep","time":"2023-12-25T18:03:39Z","message":"Failed to run ParseArgString function"}
{"level":"error","error":"Too many arguments, expecting two","func":"github.com/MythicMeta/MythicContainer/rabbitmq.prepTaskArgs","line":584,"command Name":"sleep","time":"2023-12-25T18:03:39Z","message":"Failed to run ParseArgString function"}

If i run same command 'sleep {"interval":13,"jitter":8}' directly from callback or split callback, then all is fine.

Also sleep commands runs fine for task multiple with helper popup:

[its-a-feature]

good catch! That should be fixed in UI v0.1.42

[timukas]

Firstly, Mythic is cool tool. I appreciate your work on it.

Adding here some UI improvement ideas/wishes after large Mythic operation i've conducted recently:

• If operation is marked as completed, then main top bar could show some hint/icon, that select operation is 'completed'.

• New operation creation could have text area for operation description.

• Switching from table layout to graph layout, could apply filters from table layout. Currently graph layout shows all (unfiltered) callbacks.

• Hosted files and payloads deletion is not very intuitive. If you remove 'FileHosted' tag from file/payload, then http/httpx profile still has file mapping. And if you delete mapping, then 'FileHosted' still next to hosted file/payload.

• 'Active Callbacks' table could save column widths. Currently they are reset to default widths, when switching between tabs.

• New callback event could have more information (ip, ext.ip).

• Hosted file download could have IP address and/or user-agent in event.

• Allow to migrate uploaded files/payloads/configs to new Operation.

• Sample message generation works only for http profile. httpx profile generates following error: