Medusa: cross-platform C2 agent

by do son ·

Medusa

Medusa is a cross-platform C2 agent compatible with both Python 3.8 and Python 2.7.

Notable Features

  • Dynamic loading/unloading of agent functions to limit exposure of agent capabilities on-disk.
  • Loading of Python modules in-memory for use in custom scripts.
  • Cross-platform SOCKS5 proxy
  • macOS clipboard reader, screenshot grabber, and TCC database parsing examples
  • File browser compatibility with upload/download
  • Eval() of dynamic Python code
  • Basic Authentication Proxy compatibility

Supported C2 Profiles

Currently, only one C2 profile is available to use when creating a new Medusa agent: http (both with and without AES256 HMAC encryption).

HTTP Profile

The HTTP profile calls back to the Mythic server over the basic, non-dynamic profile. GET requests for taskings, POST requests with responses.

Commands Manual Quick Reference

The base agent and included commands all use built-in Python libraries, so do not need additional packages to function. Agents will run the commands in threads, so long-running uploads or downloads won’t block the main agent.

General Commands

Command Syntax Description
cat cat path/to/file Read and output file content.
cd cd [.. dir] Change working directory (.. to go up one directory).
cp cp src_file_or_dir dst_file_or_dir Copy file or folder to destination.
cwd cwd Print working directory.
download download [path] Download a file from the target system.
exit exit Exit a callback.
env env Print environment variables.
eval_code eval_code [commands] Execute python code and return output.
jobkill jobkill [task id] Send stop signal to long running task.
jobs jobs List long-running tasks, such as downloads.
list_modules list_modules [module_name] Lists in-memory modules or the full file listing for a specific module.
load load command Load a new capability into an agent.
load_module load_module Load a zipped Python module into memory (adapted from here and here).
load_script load_script Load and execute a Python script through the agent.
ls ls [. path] List files and folders in [path] or use . for current working directory.
mv mv src_file_or_dir dst_file_or_dir Move file or folder to destination.
rm rm file_or_dir Delete file or folder.
shell shell [command] Run a shell command which will spawn using subprocess.Popen(). Note that this will wait for command to complete so be careful not to block your agent.
socks socks start/stop [port] Start/stop SOCKS5 proxy through Medusa agent.
shinject shinject Inject shellcode into target PID using CreateRemoteThread (Windows only – adapted from here).
sleep sleep [seconds] [jitter percentage] Set the callback interval of the agent in seconds.
unload unload command Unload an existing capability from an agent.
unload_module unload_module module_name Unload a Python module previously loaded into memory.
upload upload Upload a file to a remote path on the machine.
watch_dir watch_dir path seconds Watch for changes in the target directory, polling for changes at a specified rate.

macOS Commands

Command Syntax Description
clipboard clipboard Output contents of the clipboard (uses Objective-C API, as outlined by Cedric Owens here. macOS only, Python 2.7 only).
list_apps list_apps List macOS applications (Python 2.7 only, macOS only).
list_tcc list_tcc [path] List entries in macOS TCC database (requires full-disk access and Big Sur only atm).
screenshot screenshot Take a screenshot (uses Objective-C API, macOS only, Python 2.7 only).

Windows Commands

Command Syntax Description
shinject shinject Inject shellcode into target PID using CreateRemoteThread (Windows only – adapted from here).
load_dll load_dll dll_path dll_export Load an on-disk DLL and execute an exported function (NOTE: This DLL must return an int value on completion, an msfvenom-created DLL, for example, will kill your agent upon completion).

Install