Medusa is a cross-platform agent compatible with both Python 3.8 and Python 2.7.
To install Medusa, you'll need Mythic installed on a remote computer. You can find installation instructions for Mythic at the Mythic project page.
From the Mythic install root, run the command:
./mythic-cli payload install github https://github.com/MythicAgents/Medusa.git
Once installed, restart Mythic to build a new agent.
- File browser compatibility with upload/download
- Windows injection example using CreateRemoteThread
- maOS clipboard reader, screenshot grabber and TCC database parsing examples
- Eval() of dynamic Python code
- Basic Authentication Proxy compatibility
Commands Manual Quick Reference
The base agent and included commands all use built-in Python libraries, so do not need additional packages to function. Agents will run the commands in threads, so long-running uploads or downloads won't block the main agent.
||Read and output file content.|
||Change working directory (
||Output contents of clipboard (uses Objective-C API, as outlined by Cedric Owens here. macOS only, Python 2.7 only).|
||Copy file or folder to destination.|
||Print working directory.|
||Download a file from the target system.|
||Exit a callback.|
||Print environment variables.|
||Execute python code and return output.|
||List long-running tasks, such as downloads.|
||List files and folders in
||List entries in macOS TCC database (requires full-disk access and Big Sur only atm).|
||Move file or folder to destination.|
||Delete file or folder.|
||Take a screenshot (uses Objective-C API, macOS only, Python 2.7 only).|
||Run a shell command which will spawn using subprocess.Popen(). Note that this will wait for command to complete so be careful not to block your agent.|
||Inject shellcode into target PID using CreateRemoteThread (Windows only - adapted from here).|
||Set the callback interval of the agent in seconds.|
||Upload a file to a remote path on the machine.|
Both versions of the Medusa agent use an AES256 HMAC implementation written with built-in libraries (adapted from here), removing the need for any additional dependencies beyond a standard Python install. As such the agent should operate across Windows, Linux and macOS hosts. It's worth mentioning that this crypto implementation does introduce some overhead when handling large files (screenshotting, downloads, etc.) but it's workable.
Py2 vs Py3 Commands
Payload_Type/Medusa/agent_code directory, you will see
base_agent files with both
py3 suffixes. Likewise, similar file extensions can be seen for individual function files too.
These are read by the
builder.py script to firstly select the right base Python version of the Medusa agent.
builder.py will then include commands that are specific to the chosen python version. In the case where a command only has a
.py extension, this will be used by default, with the assumption being that no alternative code is needed between the Py2 and Py3 versions.
Supported C2 Profiles
Currently, only one C2 profile is available to use when creating a new Medusa agent: http (both with and without AES256 HMAC encryption).
The HTTP profile calls back to the Mythic server over the basic, non-dynamic profile. GET requests for taskings, POST requests with responses.