Medusa: cross-platform C2 agent
Medusa
Medusa is a cross-platform C2 agent compatible with both Python 3.8 and Python 2.7.
Notable Features
- Dynamic loading/unloading of agent functions to limit exposure of agent capabilities on-disk.
- Loading of Python modules in-memory for use in custom scripts.
- Cross-platform SOCKS5 proxy
- macOS clipboard reader, screenshot grabber, and TCC database parsing examples
- File browser compatibility with upload/download
- Eval() of dynamic Python code
- Basic Authentication Proxy compatibility
Supported C2 Profiles
Currently, only one C2 profile is available to use when creating a new Medusa agent: http (both with and without AES256 HMAC encryption).
HTTP Profile
The HTTP profile calls back to the Mythic server over the basic, non-dynamic profile. GET requests for taskings, POST requests with responses.
Commands Manual Quick Reference
The base agent and included commands all use built-in Python libraries, so do not need additional packages to function. Agents will run the commands in threads, so long-running uploads or downloads won’t block the main agent.
General Commands
Command | Syntax | Description |
---|---|---|
cat | cat path/to/file |
Read and output file content. |
cd | cd [.. dir] |
Change working directory (.. to go up one directory). |
cp | cp src_file_or_dir dst_file_or_dir |
Copy file or folder to destination. |
cwd | cwd |
Print working directory. |
download | download [path] |
Download a file from the target system. |
exit | exit |
Exit a callback. |
env | env |
Print environment variables. |
eval_code | eval_code [commands] |
Execute python code and return output. |
jobkill | jobkill [task id] |
Send stop signal to long running task. |
jobs | jobs |
List long-running tasks, such as downloads. |
list_modules | list_modules [module_name] |
Lists in-memory modules or the full file listing for a specific module. |
load | load command |
Load a new capability into an agent. |
load_module | load_module |
Load a zipped Python module into memory (adapted from here and here). |
load_script | load_script |
Load and execute a Python script through the agent. |
ls | ls [. path] |
List files and folders in [path] or use . for current working directory. |
mv | mv src_file_or_dir dst_file_or_dir |
Move file or folder to destination. |
rm | rm file_or_dir |
Delete file or folder. |
shell | shell [command] |
Run a shell command which will spawn using subprocess.Popen(). Note that this will wait for command to complete so be careful not to block your agent. |
socks | socks start/stop [port] |
Start/stop SOCKS5 proxy through Medusa agent. |
shinject | shinject |
Inject shellcode into target PID using CreateRemoteThread (Windows only – adapted from here). |
sleep | sleep [seconds] [jitter percentage] |
Set the callback interval of the agent in seconds. |
unload | unload command |
Unload an existing capability from an agent. |
unload_module | unload_module module_name |
Unload a Python module previously loaded into memory. |
upload | upload |
Upload a file to a remote path on the machine. |
watch_dir | watch_dir path seconds |
Watch for changes in the target directory, polling for changes at a specified rate. |
macOS Commands
Command | Syntax | Description |
---|---|---|
clipboard | clipboard |
Output contents of the clipboard (uses Objective-C API, as outlined by Cedric Owens here. macOS only, Python 2.7 only). |
list_apps | list_apps |
List macOS applications (Python 2.7 only, macOS only). |
list_tcc | list_tcc [path] |
List entries in macOS TCC database (requires full-disk access and Big Sur only atm). |
screenshot | screenshot |
Take a screenshot (uses Objective-C API, macOS only, Python 2.7 only). |
Windows Commands
Command | Syntax | Description |
---|---|---|
shinject | shinject |
Inject shellcode into target PID using CreateRemoteThread (Windows only – adapted from here). |
load_dll | load_dll dll_path dll_export |
Load an on-disk DLL and execute an exported function (NOTE: This DLL must return an int value on completion, an msfvenom-created DLL, for example, will kill your agent upon completion). |