Hunting for Mythic in network traffic

This report analyzes the Mythic post-exploitation C2 framework, detailing how Mythic agents communicate over SMB, TCP, HTTP(S), WebSocket and covert egress channels (Discord, GitHub), and provides protocol-specific network-detection guidance and Suricata signatures for identifying agent activity (UUID and Base64 patterns, TLS/HTTP behaviors). It emphasizes detection limitations (e.g., TLS/SMBv3 encryption), proposes behavioral fallback rules, and notes Mythic’s adoption by threat actors while listing Kaspersky NDR verdicts for Mythic-related C2s.