Introduction
As part of my 30-day SOC Analyst challenge, Day 20 focused on setting up a Mythic C2 server, an open-source command-and-control framework, to enhance my understanding of threat monitoring and security operations. This hands-on project allowed me to configure and deploy a Mythic server on a virtual machine, troubleshoot errors, and secure the environment with a custom firewall setup.
Server Deployment on Vultr
I began by logging into my Vultr dashboard to create a new virtual machine (VM) for the Mythic C2 server. I selected the following configuration:
- Instance Type: Cloud Compute – Shared CPU
- Location: Bangalore (closest to my location)
- Operating System: Ubuntu 22.04 LTS
- Specs: 80 GB SSD, 2 vCPUs, 4 GB RAM
After naming the instance “MyDFIR-Mythic,” I deployed the VM.
Connecting to the Server
Using SSH, I connected to the newly deployed server:
ssh root@<my-server-ip>
Once logged in, I updated and upgraded the server’s repositories:
apt-get update && apt-get upgrade -y
Installing Dependencies
Mythic requires Docker Compose and Make for installation. I installed these using:
apt install docker-compose
apt install make
Cloning the Mythic Repository
After installing the dependencies, I cloned the Mythic GitHub repository:
git clone https://github.com/its-a-feature/Mythic
I then navigated to the Mythic directory:
cd Mythic
Running the Installer
I invoked the Mythic installation script for Docker:
./install_docker_ubuntu.sh
Troubleshooting Docker
While running the make command, I encountered an error.
To investigate, I checked the status of Docker:
systemctl status docker
Docker was not running, so I restarted the service:
systemctl restart docker
systemctl status docker
After restarting Docker, I successfully executed the make command.
Starting the Mythic Server
With the installation completed, I started the Mythic CLI:
./mythic-cli start
Configuring Firewall Rules
Before accessing the Mythic dashboard, I configured the firewall in Vultr to limit access. I created a firewall group named “MyDFIR-Mythic-Firewall” and added the following rules:
- Allow TCP connections from my IP
- Allow TCP connections from my Windows Server IP
- Allow TCP connections from my Ubuntu Server IP
After assigning this firewall group to the Mythic instance, I proceeded to log into the Mythic Web GUI via:
https://<mythic-instance-ip>:7443
Exploring the Mythic Dashboard
Upon logging into the Mythic dashboard, I explored various functionalities and got a high-level overview of its capabilities.
Conclusion
Day 20 of the SOC Analyst challenge offered practical insights into deploying and managing a Mythic C2 server. I not only deployed the server but also learned valuable troubleshooting techniques and how to secure the server through firewall configurations.