A research-grade Command & Control framework extending Mythic with two novel capabilities:
- Adaptive transport switching — the implant detects hostile network conditions (TLS interception, DoH blocking, port filtering) and autonomously cascades through transport tiers without operator intervention.
- AI-assisted recon analysis — a local LLM pipeline (Ollama) ingests Mythic task output (Nmap XML, etc.) and returns MITRE ATT&CK–mapped findings with follow-on recommendations.
Legal notice: This project is intended for authorized penetration testing, red team engagements, academic research, and CTF competitions only. Do not deploy against systems you do not own or have explicit written permission to test. See SECURITY.md for the full responsible-use policy.
Every technique in this framework is documented in detail so blue teams can build detection for it:
- Transport detection: DNS tunneling produces characteristic query volume and label patterns; DoH from a non-browser process on port 443 is anomalous; TLS cert issuer changes mid-session indicate MITM proxy interaction.
- Evasion detection: AMSI/ETW in-process patching shows up as unexpected memory writes to
AmsiScanBuffer/NtTraceEvententry points; sleep-encrypted memory regions have high entropy during sleep; PEB tampering is detectable via process integrity checks. - Behavioral detection: Jittered HTTPS beaconing at a fixed base interval is a reliable C2 indicator; DNS queries with base32-encoded subdomains exceeding normal label length are tunneling candidates.
MITRE ATT&CK coverage is mapped in SECURITY.md.
┌─────────────────────────────────────────────────────────┐
│ Mythic Server │
│ ┌─────────────────┐ ┌────────────────┐ │
│ │ Payload Type │ │ C2 Profile │ │
│ │ (adaptive) │ │ (adaptive- │ │
│ │ builder.py │ │ profile) │ │
│ │ agent_funcs/ │ │ server.py │ │
│ └────────┬────────┘ └───────┬────────┘ │
└───────────┼───────────────────┼─────────────────────────┘
│ Mythic gRPC │ relay
│ │
┌───────────┼───────────────────┼─────────────────────────┐
│ │ AI Analyzer │ │
│ ┌────────▼────────┐ ┌───────▼────────┐ │
│ │ Recon Webhook │ │ FastAPI Svc │ │
│ │ (normalizes │──▶ (Ollama LLM │ │
│ │ Nmap XML) │ │ + pgvector) │ │
│ └─────────────────┘ └────────────────┘ │
└─────────────────────────────────────────────────────────┘
│ HTTPS (Tier 0)
│ DNS-DoH (Tier 1) ← automatic fallback
│ DNS-Raw (Tier 2) ← last resort
│ SMB (Tier 3) ← lateral movement
▼
┌─────────────────────────────────────────────────────────┐
│ C11 Implant (~45KB) │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Transport vtable │ Rule engine (<10ms) │ │
│ │ HTTPS / DoH / │ fingerprint env → │ │
│ │ DNS-Raw / SMB / │ detect TLS interception, │ │
│ │ WebSocket │ port blocking, failures │ │
│ └──────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Evasion layer │ │
│ │ AMSI patch · ETW bypass · sleep encryption │ │
│ │ process masquerading · anti-debug │ │
│ └──────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
| Tier | Protocol | Trigger to switch down |
|---|---|---|
| 0 | HTTPS | TLS interception detected (cert issuer mismatch) |
| 1 | DNS over HTTPS (DoH) | DoH resolver blocked |
| 2 | DNS Raw (UDP 53) | N consecutive failures |
| 3 | SMB named pipe | All IP-layer transports blocked |
The rule engine can also upgrade back to HTTPS when a periodic probe succeeds — no manual intervention needed.
adaptive-c2-framework/
├── mythic-install/ # Drop-in for a Mythic installation
│ ├── Payload_Type/adaptive/ # Payload type container
│ │ ├── agent_code/implant/ # C11 implant source (MinGW cross-compile)
│ │ │ ├── src/
│ │ │ │ ├── transport/ # HTTPS, DoH, DNS-Raw, WebSocket, SMB
│ │ │ │ ├── engine/ # Rule engine (rules.c)
│ │ │ │ ├── fingerprint/ # TLS interception & env detection
│ │ │ │ ├── evasion/ # AMSI, ETW, sleep-crypt, proc masquerade
│ │ │ │ ├── crypto/ # AES, Base32, Base64
│ │ │ │ └── commands/ # shell, ls, upload, download, sleep, persist
│ │ │ └── Makefile
│ │ └── container/ # Mythic Python container (builder + agent funcs)
│ └── C2_Profiles/
│ └── adaptive-profile/ # C2 profile: HTTP relay + DNS listener
├── ai-analyzer/ # FastAPI + Ollama + pgvector analysis service
├── mythic-containers/
│ ├── recon-webhook/ # Mythic webhook: normalizes Nmap XML → analyzer
│ └── adaptive-profile/ # (dev copy of C2 profile)
├── implant/ # Standalone implant build sandbox
├── tools/ # mock_doh_resolver.py, test_doh_chain.py
├── lab/ # Demo scripts and test scenarios
└── docs/ # Architecture deep-dives
- Adaptive transport vtable — runtime transport switching via C function-pointer table; adding a new transport is a single struct literal.
- TLS interception detection — compares the server certificate's issuer CN against a compile-time constant; a mismatch triggers a DoH cascade without any server-side signal.
- DNS-over-HTTPS transport — RFC 8484 wire format, 8-byte per-session ID for reassembly; works through corporate HTTP proxies that allow outbound 443.
- DNS-Raw transport — base32-encoded data in DNS A/CNAME queries + TXT responses; tested through strict firewalls that only permit port 53.
- Auto-upgrade probe — every N beacons (configurable), the implant quietly tests if HTTPS is available again and upgrades back without operator input.
- Jittered beacon — configurable interval + percentage jitter via the
sleepcommand. - AMSI bypass — patches
AmsiScanBufferin-process at runtime. - ETW bypass — patches
NtTraceEventto silence ETW telemetry. - Sleep encryption — XOR-encrypts the implant's heap/stack during sleep intervals to defeat memory scanning.
- Process masquerading — sets the PEB to present as a benign Windows process.
- Anti-debug — checks common debugger indicators and can self-terminate.
- Self-destruct — operator-triggered or automated cleanup on detection signals.
- Persistence — Run key and scheduled task options via
persistcommand.
- Custom payload type with GUI builder (C2 host, port, beacon interval, UUID injection).
- Agent functions:
shell,ls,download,upload,sleep,exit,persist,transport_switch,transport_status,analyze_recon. - C2 profile handles both HTTPS relay (aiohttp) and DNS listener (asyncio UDP) in a single container.
- Local LLM inference via Ollama (no data leaves the operator's machine).
- Structured JSON output enforced by Pydantic schemas — the LLM cannot return free-form text that breaks downstream parsing.
- MITRE ATT&CK technique mapping with confidence scores.
- PostgreSQL + pgvector for RAG (retrieval-augmented generation) over historical findings.
- Async job queue so analysis doesn't block the beacon loop.
| Component | Requirement |
|---|---|
| Mythic server | Mythic 3.x installed and running |
| Implant build | x86_64-w64-mingw32-gcc (MinGW), gcc, make |
| Python containers | Python 3.11+, Docker |
| AI Analyzer | Ollama running locally, PostgreSQL 15+ with pgvector extension |
| OS | Linux build host (tested on Debian/Ubuntu and Raspberry Pi OS) |
Follow the official Mythic install guide. Once Mythic is running:
cd ~/Mythic
sudo ./mythic-cli status# Copy into Mythic's plugin directories
cp -r mythic-install/Payload_Type/adaptive ~/Mythic/Payload_Type/
cp -r mythic-install/C2_Profiles/adaptive-profile ~/Mythic/C2_Profiles/
# Start the new containers
sudo ./mythic-cli start adaptive
sudo ./mythic-cli start adaptive-profileMythic's builder does this automatically when you create a payload in the UI, but you can also build standalone:
cd mythic-install/Payload_Type/adaptive/agent_code/implant
# Windows PE (requires MinGW)
make windows C2_HOST=10.0.0.1 C2_PORT_HTTPS=443
# Linux test binary
make linux C2_HOST=10.0.0.1
# Clean
make cleanBuild variables:
| Variable | Default | Description |
|---|---|---|
C2_HOST |
192.168.56.30 |
C2 server IP or hostname |
C2_PORT_HTTPS |
443 |
HTTPS transport port |
C2_PORT_DNS |
53 |
DNS transport port |
BEACON_INTERVAL |
10 |
Beacon interval in seconds |
PAYLOAD_UUID |
placeholder | Injected by Mythic builder |
cd ai-analyzer
cp ../.env.example .env # edit OLLAMA_HOST and OLLAMA_MODEL
docker compose up -d # or: pip install -r requirements.txt && uvicorn app.main:appcd mythic-containers/recon-webhook
pip install -r requirements.txt
ANALYZER_URL=http://localhost:8000 python webhook_code/main.pyThe implant's compile-time configuration lives in include/config.h. Key constants:
#define EXPECTED_CERT_ISSUER "Mythic C2 CA" // must match C2 server cert CN
#define BEACON_INTERVAL_SEC 10
#define BEACON_JITTER_PCT 20 // ±20% sleep jitter
#define MAX_FAILURES_BEFORE_SWITCH 3 // failures before transport cascade
#define PROBE_INTERVAL_BEACONS 30 // beacons between HTTPS upgrade probesThe C2 profile config lives in mythic-install/C2_Profiles/adaptive-profile/adaptive_profile/c2_code/config.json:
{
"instances": [{
"port": 443,
"dns_port": 5353,
"dns_domain": "data.c2.local",
"use_ssl": true,
"debug": false
}]
}TLS note: The server certificate's CN must match
EXPECTED_CERT_ISSUERin the implant. A mismatch causes the rule engine to treat the connection as a MITM proxy and cascade to DNS transports. Generate the cert with-subj '/CN=Mythic C2 CA'.
| Command | Description |
|---|---|
shell <cmd> |
Execute a shell command and return output |
ls [path] |
List directory contents |
download <path> |
Exfiltrate a file to Mythic |
upload <path> |
Upload a file from Mythic to the target |
sleep <seconds> [jitter%] |
Change beacon interval at runtime |
persist <method> |
Install persistence (run key, scheduled task) |
transport_switch <tier> |
Force switch to a specific transport tier |
transport_status |
Report current transport and failure counters |
analyze_recon |
Trigger AI analysis of buffered recon output |
exit |
Clean up and terminate the implant |
# Start mock DoH resolver (forwards to real DNS)
python tools/mock_doh_resolver.py --port 8553
# Run the full test suite
python tools/test_doh_chain.pycd implant
python test_implant.py # tests message serialization and protocol parsingbash lab/scenarios/RUN_DEMO.shSee docs/architecture.md for a detailed walkthrough of the transport vtable, rule engine, and AI pipeline design decisions.
The implant/ directory is a lighter standalone build sandbox (no evasion modules) for rapid iteration on transport and protocol logic. The full production implant with all evasion features lives in mythic-install/Payload_Type/adaptive/agent_code/implant/.
See CONTRIBUTING.md.