S0699: Mythic
Analyst context for executives and security teams
Mythic matters because it is an open source, cross-platform post-exploitation and command-and-control framework that can be extended with different agents and communication channels. For leaders, the risk is not the tool name alone; it is whether the organization can recognize resilient C2 patterns across Windows, Linux, and macOS before they support collection, tunneling, proxying, or exfiltration activity.
Executive priority
Treat Mythic as a validation case for C2 and post-exploitation readiness. Security leaders should ask whether network, endpoint, DNS, proxy, and web telemetry can show suspicious command-and-control behavior even when traffic uses common protocols, alternate channels, proxies, encoding, encryption, or size-limited transfers. This supports incident response preparedness, SOC coverage decisions, and audit evidence for monitoring controls across major operating system platforms.
Technical view
MITRE provides no tool-specific detection text for Mythic, so defenders should validate coverage through the related behaviors: fallback channels, web/file/DNS C2, internal and external proxying, domain fronting, non-application-layer protocols, protocol tunneling, data encoding, asymmetric cryptography, automated collection, and transfer size limits. SOC and IR teams should focus on behavior-driven detections rather than simple tool signatures, especially because Mythic is designed to support varied agents and communication channels.
Likely telemetry
- Endpoint process execution and command-line telemetry from Windows, Linux, and macOS systems
- Network connection metadata, including destination, protocol, volume, timing, and session patterns
- HTTP/S and WebSocket logs where available, including host, user-agent, URI, SNI, and certificate context
- DNS query and response logs, including unusual frequency, length, entropy, and destination patterns
- Proxy, firewall, and secure web gateway logs showing direct, internal, external, or tunneled connections
Detection direction
- Validate behavior-based detections for C2 over common application protocols rather than relying on the Mythic name or static indicators.
- Hunt for resilient C2 patterns such as fallback destinations, alternate protocols, repeated beacon-like connections, and traffic that shifts channels after blocking or interruption.
- Tune DNS and web detections for encoded, tunneled, or fronted traffic while accounting for legitimate CDN, proxy, and SaaS usage to reduce false positives.
- Correlate network anomalies with endpoint activity, because protocol-level evidence alone may be ambiguous in environments with heavy encrypted web traffic.
- Review internal proxy and tunneling detection coverage, since C2 may be relayed through compromised systems rather than connecting directly outbound.
Mitigation priorities
- Prioritize egress control and monitoring for systems that should not initiate arbitrary outbound web, DNS, file transfer, or non-application-layer communications.
- Ensure endpoint detection and response coverage is deployed and logging consistently across Windows, Linux, and macOS assets.
- Restrict and monitor proxy paths, DNS resolution, and permitted outbound protocols according to business need.
- Build IR playbooks that preserve endpoint, DNS, proxy, firewall, and packet/session metadata needed to reconstruct C2 and collection activity.
- Use ATT&CK relationship-driven tests to validate detections for C2 resiliency, tunneling, encoding, proxying, and data transfer limits without depending on a specific Mythic agent implementation.
Analyst notes and limits
The strongest decision value is to use Mythic as a coverage benchmark for modern, modular C2 behavior. Its open source and plug-and-play nature means local detections should be mapped to communications, proxying, tunneling, collection, and exfiltration behaviors rather than to a single fixed network pattern.
The supplied ATT&CK object does not include official detection guidance, aliases, labels, tactics on the software object, or procedure-level detail beyond related techniques. Any assessment of active exposure, exploitation, attribution, or detection effectiveness requires local telemetry and threat intelligence not provided here.
Mythic
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090.002 | External Proxy Sub-technique | Mythic can leverage a modified SOCKS5 proxy to tunnel egress C2 traffic.CitationMythc Documentation |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Mythic supports SMB-based peer-to-peer C2 profiles.CitationMythc Documentation |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Mythic supports SSL encrypted C2.CitationMythc Documentation |
| Enterprise | T1071.004 | DNS Sub-technique | Mythic supports DNS-based C2 profiles.CitationMythc Documentation |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Mythic supports HTTP-based C2 profiles.CitationMythc Documentation |
| Enterprise | T1132 | Data Encoding | Mythic provides various transform functions to encode and/or randomize C2 data.CitationMythc Documentation |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Mythic can leverage a peer-to-peer C2 profile between agents.CitationMythc Documentation |
| Enterprise | T1095 | Non-Application Layer Protocol | Mythic supports WebSocket and TCP-based C2 profiles.CitationMythc Documentation |
| Enterprise | T1030 | Data Transfer Size Limits | Mythic supports custom chunk sizes used to upload/download files.CitationMythc Documentation |
| Enterprise | T1119 | Automated Collection | Mythic supports scripting of file downloads from agents.CitationMythc Documentation |
| Enterprise | T1572 | Protocol Tunneling | Mythic can use SOCKS proxies to tunnel traffic through another protocol.CitationMythc Documentation |
| Enterprise | T1090.004 | Domain Fronting Sub-technique | Mythic supports domain fronting via custom request headers.CitationMythc Documentation |
| Enterprise | T1008 | Fallback Channels | Mythic can use a list of C2 URLs as fallback mechanisms in case one IP or domain gets blocked.CitationMythc Documentation |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ceb96df87505… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mythic Github
Thomas, C. (2018, July 4). Mythic. Retrieved March 25, 2022.
Open source URL -
[2]
Mythic SpecterOps
Thomas, C. (2020, August 13). A Change of Mythic Proportions. Retrieved March 25, 2022.
Open source URL -
[3]
Mythc Documentation
Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
Open source URL -
[4]
RecordedFuture 2021 Ad Infra
Insikt Group. (2022, January 18). 2021 Adversary Infrastructure Report. Retrieved March 25, 2022.
Open source URL -
[5]
mitre-attack S0699Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.