Mythic#
InfraGuard supports Mythic’s HTTPX and HTTP agents. The profile JSON exported from the Mythic agent builder is parsed to extract URI patterns and headers.
Config#
domains:
cdn.example.com:
upstream: "https://${MYTHIC_IP}:7443"
profile_path: "profiles/mythic-httpx.json"
profile_type: "mythic"
ssl_verify: false # Mythic uses self-signed cert by default
drop_action:
type: "redirect"
target: "https://cdn.jsdelivr.net"See config/examples/c2-mythic.yaml and config/examples/op-mythic-phishingclub.yaml.
Payload Delivery via Mythic File Store#
InfraGuard can serve payloads directly from Mythic’s internal file store:
content_routes:
- path: "/assets/bootstrap.min.js"
backend:
type: "mythic_file"
target: "https://${MYTHIC_IP}:7443"
file_id: "${MYTHIC_STAGE2_FILE_ID}"
ssl_verify: false
guard:
require_beacon_ip: true
forbidden_headers:
- "Via"
- "X-Forwarded-For"
require_token: true
rate_limit:
enabled: true
max_downloads: 1
window_seconds: 3600InfraGuard fetches /direct/download/<file_id> from the Mythic server. The file_id is the UUID shown in Mythic’s file browser.
Dynamic UUID Proxy#
Expose the full Mythic file store behind a wildcard route:
content_routes:
- path: "/dl/*"
backend:
type: "mythic_file"
target: "https://${MYTHIC_IP}:7443"
ssl_verify: false # no file_id — UUID taken from request path
guard:
require_beacon_ip: trueThe UUID is extracted from the incoming path (/dl/<uuid> → /direct/download/<uuid>).
ssl_verify#
Mythic generates a self-signed cert. Set ssl_verify: false on the backend to skip verification. InfraGuard still terminates TLS externally with your real cert.
Port Reference#
| Service | Default Port |
|---|---|
| Mythic web UI | 7443 |
| HTTPX listener | 443 (configure in agent) |
| File download endpoint | 7443 /direct/download/<uuid> |