Set up

To start we first need to clone the repository. We will also need a C2 profile. Apollo for Windows Merlyn for Linux. We also need the scarecrow wrapper to help bypass AV.

git clone [mythic]

./mythic-cli start

./mythic-cli install github [agent/profile]

Operations

For payload generation use exe and no need to worry about the commands, we are pentesting not red teaming. Jitter should be 0 and callback time should be roughly 5ish seconds. Jitter is the margin of error for the sleep time. The callback time usually is set pretty high to avoid detection however we don’t need to worry about that so we can set that to 5 seconds so we can have quick communications to the beacon. Set the URL to the team server IP on http, not https.

Execution

To gain execution, a consistent way is to use powershell iwr. Mythic tends to get caught by up-to-date AV so we need to use the scarecrow wrapper. To use scarecrow, we need to be using shellcode as the wrapper works with it. Set a real domain as AV actually checks for valid domains. We just use binary rather than control and set the .dll payloads to false. We need to change the domain each time the payload gets signature. To help bypass AV, we need to modify the default behavior of the payload by using random headers. We also need to change the default user agent as well.