Skip to content

Add filtering parameters to mythic_get_callbacks #41

Open
Open
Add filtering parameters to mythic_get_callbacks#41
Labels
enhancementNew feature or request
@nbaertsch

Description

@nbaertsch
nbaertsch
opened on Feb 15, 2026

Problem

mythic_get_callbacks returns all callbacks in the operation, requiring manual filtering in user code when looking for specific subsets.

Common Use Cases Requiring Manual Filtering

Filter by payload type

# Current: Get all, filter manually
all_callbacks = mythic_get_callbacks()
xenon_callbacks = [cb for cb in all_callbacks if cb['payloadtype']['name'] == 'xenon']

Filter by host

# Current: Get all, filter manually
all_callbacks = mythic_get_callbacks()
maldev_callbacks = [cb for cb in all_callbacks if cb['host'] == 'MALDEV']

Filter by active status

# Current: Get all, filter manually
all_callbacks = mythic_get_callbacks()
active_callbacks = [cb for cb in all_callbacks if cb['active'] == True]

Combined filters

# Want: Active xenon callbacks on MALDEV
all_callbacks = mythic_get_callbacks()
filtered = [cb for cb in all_callbacks 
            if cb['active'] and 
            cb['payloadtype']['name'] == 'xenon' and 
            cb['host'] == 'MALDEV']

Impact

  • Unnecessary data transfer for large operations with many callbacks
  • More complex automation code
  • Harder to write quick one-liners during assessments
  • Reduces efficiency when targeting specific agent types or hosts

Proposed Solution

Add Optional Filter Parameters

mythic_get_callbacks(
  payload_type: Optional[str] = None,     # Filter by payload type name
  host: Optional[str] = None,              # Filter by hostname (exact or partial match)
  active_only: Optional[bool] = None,      # Only return active callbacks
  integrity_level: Optional[int] = None,   # Filter by integrity level
  user: Optional[str] = None               # Filter by username
)

Usage Examples

# Get all active xenon callbacks
mythic_get_callbacks(payload_type="xenon", active_only=True)

# Get all callbacks on specific host
mythic_get_callbacks(host="MALDEV")

# Get high-integrity callbacks
mythic_get_callbacks(integrity_level=3, active_only=True)

# Combined filters
mythic_get_callbacks(
  payload_type="xenon",
  host="MALDEV",
  active_only=True
)

Alternative: Separate Filtering Tool

If modifying mythic_get_callbacks is complex, add a separate tool:

mythic_filter_callbacks(
  payload_type: Optional[str],
  host: Optional[str],
  active_only: Optional[bool]
)

Implementation Notes

  • Server-side filtering preferred (reduces data transfer)
  • Consider substring/regex matching for host names ("MALDEV" matches "MALDEV-01", "MALDEV-02")
  • All filters should be optional (omitted = no filtering on that dimension)
  • Return empty list if no callbacks match filters

Related Tools

Consider adding similar filtering to:

  • mythic_get_tasks - filter by status, command, callback
  • mythic_get_files - filter by filename pattern, callback
  • mythic_get_credentials - filter by type, realm

Priority

Low-Medium - Quality of life improvement, especially valuable for large operations with many callbacks

Context

Encountered during security assessment when trying to find specific callbacks (e.g., "all active xenon agents on MALDEV"). Current workflow requires fetching all callbacks and filtering manually, which is verbose and inefficient.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions