its-a-feature
commented
7 months ago There's a few tough things about that though:
- Mythic doesn't inherently know what an agent's sleep or jitter times are (you could make your own c2 profile)
- Sleep intervals might not exist (Push C2 or P2P agents)
- Intervals might be more than just "seconds +- jitter%" (some agents could have working hours or additional components that feed into when an agent checks in)
- Agents can use multiple C2 profiles at a time, each with their own sleep intervals (ex: poseidon can be compiled with
http,dynamichttp, andwebsocketall at once)
You can already sort by last checkin time, so what additional benefit does that give you? Now, one thing that might be useful is having a way to ask the payload container when the next checkin could be. So, you click that blue clock icon and it shows you what the agent says the sleep is, and mythic sends a request to that payload's container that says "given this information, when would you expect the next checkin to be"
timukas
Hello,
Each payload's profile has interval and jitter option, which defines how often it calls back to C2.
On 'Active Callbacks' page (table view) there is 'Last Checkin' column, which shows when corresponding callback had last connection with Mythic.
IMO, main table view should somehow distinguish if connection is 100% alive or 'almost 100% dead'.
E.g. interval + max.jitter + 10 seconds = 120 seconds. If last checkin is smaller than 120 seconds, then it marked as alive. If last checking bigger than (interval + max.jitter + 10 seconds ) * 10, then mark it as not-alive.
Connection status can be some icon (e.g. green, yellow or red) or some background color. And column filtering could be also implemented. So then you can easily filter out alive/not-alive callbacks.