Medusa: cross-platform C2 agent

by do son · Published November 22, 2021 · Updated May 1, 2024

Medusa

Medusa is a cross-platform C2 agent compatible with both Python 3.8 and Python 2.7.

Notable Features

Dynamic loading/unloading of agent functions to limit exposure of agent capabilities on-disk.
Loading of Python modules in-memory for use in custom scripts.
Cross-platform SOCKS5 proxy
macOS clipboard reader, screenshot grabber, and TCC database parsing examples
File browser compatibility with upload/download
Eval() of dynamic Python code
Basic Authentication Proxy compatibility

Supported C2 Profiles

Currently, only one C2 profile is available to use when creating a new Medusa agent: http (both with and without AES256 HMAC encryption).

HTTP Profile

The HTTP profile calls back to the Mythic server over the basic, non-dynamic profile. GET requests for taskings, POST requests with responses.

Commands Manual Quick Reference

The base agent and included commands all use built-in Python libraries, so do not need additional packages to function. Agents will run the commands in threads, so long-running uploads or downloads won’t block the main agent.

General Commands

Command	Syntax	Description
cat	`cat path/to/file`	Read and output file content.
cd	`cd [.. dir]`	Change working directory (`..` to go up one directory).
cp	`cp src_file_or_dir dst_file_or_dir`	Copy file or folder to destination.
cwd	`cwd`	Print working directory.
download	`download [path]`	Download a file from the target system.
exit	`exit`	Exit a callback.
env	`env`	Print environment variables.
eval_code	`eval_code [commands]`	Execute python code and return output.
jobkill	`jobkill [task id]`	Send stop signal to long running task.
jobs	`jobs`	List long-running tasks, such as downloads.
list_modules	`list_modules [module_name]`	Lists in-memory modules or the full file listing for a specific module.
load	`load command`	Load a new capability into an agent.
load_module	`load_module`	Load a zipped Python module into memory (adapted from here and here).
load_script	`load_script`	Load and execute a Python script through the agent.
ls	`ls [. path]`	List files and folders in `[path]` or use `.` for current working directory.
mv	`mv src_file_or_dir dst_file_or_dir`	Move file or folder to destination.
rm	`rm file_or_dir`	Delete file or folder.
shell	`shell [command]`	Run a shell command which will spawn using subprocess.Popen(). Note that this will wait for command to complete so be careful not to block your agent.
socks	`socks start/stop [port]`	Start/stop SOCKS5 proxy through Medusa agent.
shinject	`shinject`	Inject shellcode into target PID using CreateRemoteThread (Windows only – adapted from here).
sleep	`sleep [seconds] [jitter percentage]`	Set the callback interval of the agent in seconds.
unload	`unload command`	Unload an existing capability from an agent.
unload_module	`unload_module module_name`	Unload a Python module previously loaded into memory.
upload	`upload`	Upload a file to a remote path on the machine.
watch_dir	`watch_dir path seconds`	Watch for changes in the target directory, polling for changes at a specified rate.

macOS Commands

Command	Syntax	Description
clipboard	`clipboard`	Output contents of the clipboard (uses Objective-C API, as outlined by Cedric Owens here. macOS only, Python 2.7 only).
list_apps	`list_apps`	List macOS applications (Python 2.7 only, macOS only).
list_tcc	`list_tcc [path]`	List entries in macOS TCC database (requires full-disk access and Big Sur only atm).
screenshot	`screenshot`	Take a screenshot (uses Objective-C API, macOS only, Python 2.7 only).

Windows Commands

Command	Syntax	Description
shinject	`shinject`	Inject shellcode into target PID using CreateRemoteThread (Windows only – adapted from here).
load_dll	`load_dll dll_path dll_export`	Load an on-disk DLL and execute an exported function (NOTE: This DLL must return an int value on completion, an msfvenom-created DLL, for example, will kill your agent upon completion).