Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
The Mythic framework and C&C profiles are publicly available and associated with pen testing, security assessments, and known attack campaigns. An attacker can remotely control a device and gain an entry point for further attacks on the network through a persistent C&C channel generated by a Mythic agent.
Kill Chain
Risk Score
60
Mythic is a post-compromise C&C framework. The Mythic C&C profile component enables an attacker to disguise C&C communications as legitimate traffic from the Mythic agent, which is installed on the victim device to establish a C&C channel with a Mythic server. The profile is a text file that specifies the attributes for the SSL certificate installed on the Mythic C&C server. After the victim establishes a successful TLS connection with the C&C server, the victim and C&C server exchange a series of HTTP requests and responses. HTTP responses from the C&C server include tasks, such as “sleep” or “run command”. HTTP requests from the victim include encrypted information such as metadata or command output.
Quarantine the device while checking for malware.
Block inbound and outbound traffic from suspicious hosts at the network perimeter.
Monitor and investigate unusual network activity for lateral movement or data exfiltration.
Implement network segmentation and the principle of least privilege to minimize the damage caused by a compromised device.
