Payload Backends#

mythic_file — Mythic File Store#

Fetches files from Mythic’s internal file store via /direct/download/<uuid>.

Specific UUID (stage-2 payload)#

backend:
  type: "mythic_file"
  target: "https://${MYTHIC_IP}:7443"
  file_id: "${MYTHIC_STAGE2_FILE_ID}"    # UUID from Mythic file browser
  ssl_verify: false
  headers:
    Content-Disposition: "attachment; filename=\"update.bin\""

Dynamic UUID (proxy all Mythic files)#

Omit file_id. UUID extracted from the request path:

- path: "/dl/*"
  backend:
    type: "mythic_file"
    target: "https://${MYTHIC_IP}:7443"
    ssl_verify: false

/dl/abc123 → Mythic /direct/download/abc123.

Use require_beacon_ip: true to prevent enumeration of UUIDs.

pwndrop — PwnDrop#

Proxies to a PwnDrop instance. PwnDrop manages the file store; InfraGuard adds the guard stack.

backend:
  type: "pwndrop"
  target: "${PWNDROP_UPSTREAM}"    # e.g. http://pwndrop:80
  auth_token: "${PWNDROP_TOKEN}"   # PwnDrop API token

PwnDrop serves files at / paths by default. The request path is forwarded as-is.

filesystem — Local Filesystem#

Serves files from a local directory. Useful for decoy content or pre-staged payloads in Docker volumes.

backend:
  type: "filesystem"
  target: "/app/decoys"    # base directory

/assets/jquery.min.js/app/decoys/assets/jquery.min.js.

Path traversal is prevented — requests cannot escape the base directory.

Decoy Content Routes#

The filesystem backend without a guard stack serves decoy content to all visitors:

- path: "/assets/*"
  backend:
    type: "filesystem"
    target: "/app/decoys"
  rate_limit:
    enabled: true
    max_downloads: 10
    window_seconds: 60
  track: false    # don't clutter logs with decoy hits

http_proxy — HTTP Proxy#

Proxies to any HTTP server. Use for RedFile, nginx, or custom delivery servers.

backend:
  type: "http_proxy"
  target: "${REDFILE_UPSTREAM}"    # e.g. http://redfile:8080
  ssl_verify: false

Request path and headers are forwarded. X-Forwarded-For is added unless strip_forwarded: true.

Cover Backend via Proxy#

The http_proxy backend is ideal for the conditional.scanner_backend — serve the real file from the legitimate CDN to non-matching visitors:

conditional:
  score_threshold: 0.5
  scanner_backend:
    type: "http_proxy"
    target: "https://jquery.com/jquery-3.7.1.min.js"

Response Headers#

All backends support custom response headers:

backend:
  type: "mythic_file"
  target: "..."
  headers:
    Content-Type: "application/javascript"
    Content-Disposition: "attachment; filename=\"update.js\""
    Cache-Control: "no-store"

Headers from the backend response are passed through. Custom headers override or add to them.

Backward Overview One-Time Payload Tokens Forward