This profile is supported by: https://github.com/nick-frischkorn/lark_poseidon
This is a Mythic C2 Profile called lark. It provides a way for agents to communicate via Feishu APIs. This profile supports:
- Kill Dates
- Sleep Intervals
- Message Encryption
- File Uploads Any Size
- File Downloads <11 MB
The c2 profile has mythic_c2_container==0.0.23
PyPi package installed and reports to Mythic as version "4".
-
sudo ./mythic-cli install github https://github.com/nick-frischkorn/lark_c2
-
sudo ./mythic-cli install folder /path/to/lark/
See https://docs.mythic-c2.net/installation#installing-agents-c2-profiles for more information
sequenceDiagram
participant M as Mythic
participant L as Lark Container
participant O2 as open.feishu.cn
participant H as Lark Chat
participant O1 as open.feishu.cn
participant A as Agent
A ->>+ O1: Agent calls API to upload message <br/> as file to Feishu drive
O1 -->>- A: Feishu returns file ID
A ->>+ O1: Agent calls API to send message card <br/> containing the file ID as content
O1 ->> H: Feishu API sends message <br/> card to group chat
O1 -->>- A: Feishu returns message ID
A ->>+ O1: Agent calls API to add GLANCE <br/> reaction to message ID
O1 ->>+ H: Feishu API adds GLANCE emoji <br/> to message
O2 ->>+ L: Feishu sends event to webhook <br/> containing message ID and emoji
L ->>+ O2: Container calls API to retrieve <br/> message contents
O2 -->>- L: Feishu returns message contents <br> (file ID)
L ->>+ O2: Container calls API to download file ID
O2 -->>- L: Feishu returns file contents <br/> (agent message)
L ->>+ O2: Container calls API to delete file ID
L ->>+ M: Container forwards message <br/> to Mythic
M -->>- L: Mythic returns tasking
L ->>+ O2: Container calls API to upload message <br/> as a file to Feishu drive
O2 -->>- L: Feishu returns file ID
L ->>+ O2: Container calls API to update message <br/> card content with file ID and title <br/> with "TASK"
O2 ->>+ H: Feishu API updates message <br/> card contents and title
A ->>+ O1: Agent calls API to retrieve message <br/> contents
O1 -->>- A: Feishu returns message contents <br/> (file ID)
A ->>+ O1: Agent calls API to download file ID
O1 -->>- A: Feishu returns file contents <br/> (tasking)
A ->>+ O1: Agent calls API to add SMILE <br/> reaction to message indicating <br/> the task has been received <br/> and the file can be deleted
O1 ->>+ H: Feishu API adds SMILE emoji <br/> to message
O2 ->>+ L: Feishu sends event to webhook <br/> containing message ID and emoji
L ->>+ O2: Container calls API to retrieve <br/> message contents
O2 -->>- L: Feishu returns message contents <br> (file ID)
L ->>+ O2: Feishu calls API to delete file ID
The C2 profile handles configuration using a config.json
file which can be modified within the Mythic instance. It contains 6 parameters:
- lark_groupchat_name
- lark_app_id
- lark_app_secret
- lark_verification_token
- lark_encrypt_key
- port
Browse to C2 Profiles, then click on the dropdown arrow next to Start Profile
, then click View/Edit Config
to change the above values.
-
Sign in to larksuite and browse to https://open.larksuite.com/app?lang=en-US
-
Select
Custom Apps
, thenCreate Custom App
-
Choose a name and description, then select
Create
-
Select
Add Features
on the left hand panel, then selectBy Feature
, then selectAdd
underBot
-
Select
Permissions & Scopes
on the left hand panel, then add theim:chat
,im:message
,drive:file
, anddrive:drive
scopes, and selectAdd in bulk
-
Select
Confirm and go to create app version
, then selectCreate a version
-
Fill out the version details, then select
Save
-
Select
Submit for release
-
The Open Platform Assistant will send you a message within your larksuite tenant, select
Admin Console
to navigate to the review page -
Select
Review
next to your bot, thenApprove
-
Create a groupchat within Lark, select
Settings
, then selectBots
, then selectAdd Bot
and choose your Lark bot -
Navigate back to the developer console and select
Credentials & Basic Info
on the left hand panel and copy yourApp ID
andApp Secret
-
Select
Event Subscriptions
on the left hand panel and copy yourVerification Token
-
Within Mythic, update lark's C2 profile with your obtained
Verification Token
,App ID
,App Secret
, and the name of the groupchat you added the bot to, then start the profile. -
Navigate back to the
Event Subscriptions
panel, configure theRequest URL
to point to Mythic's IP andport
from the config file, then selectSave
-
Once the
Request URL
has received the verification event, selectAdd Events
, then selectreaction.created
- Upgrade server to be async + support HTTPS
- Add Lark event encryption option
- Add command to switch to regular HTTP beaconing