[UX Feedback] Keyboard Control Behavior and More

[cmprmsd]

Hey there!

Just tried the C2 UI out and I found some stuff that can be improved, if you like to 😊

• When going up or down in the history of commands the cursor places at the beginning. Casual CLI behavior would put the cursor at the and. So this was kind of confusing
• The tab completion does accept tabs but not shift-tabs. This would allow to go back in the flags, if one skipped over the desired item
• When starting to type commands the UI could display a list of available commands. There is no "easy" way of exploring the features interactively. One would have to go through the documentation, which can of course also be a design decision. However, I like seeing the available commands in the list, as by concept of e.g. Apollo each implant might have a different subset of commands available.
• I have yet to play around with this, but how is the look and feel when you run execute-assembly and have multiple arguments that may contain dash commands itself? Would they look like the following?
  execute-assembly -Assembly seatbelt.exe -arguments -this -looks -confusing -to -me 5
  I can imagine this is hell for the parser. Ideas for this would be -- separation or quotes like
  execute-assembly seatbelt.exe -- -this -looks -confusing -to -me 5 or
  execute-assembly -Assembly seatbelt.exe -arguments "-this -looks -confusing -to -me 5"
  I like the first option more, as it feels more cli like. However, user must be made aware of this usage 😅
• The top navigation bar holds items like "Payloads and C2 Profiles" that do not open submenus as well as items that open up the second row of navigation. This is a bit confusing especially because the sorting of the second navigation bar is different than the main menu at the top.
• The second navigation bar feels "doubled". It might make sense to group all top row items into one group element "agents" "implants" or whatsoever and then keep the second menu as it is.
• I still have to find the part of the UI where I can register new dotnet binaries. From the in-page help or notifications one cannot guess the right place to do this as far as I tried. Will read the documentation though. :)
• "Register New Credential" will not refresh the table. F5 is needed to see the new results.
• Editing credentials will open a context menu with four+ items to choose what should be changed. This could/should be the full dialog with all fields to tab/shift-tab through
• ok, found register_assembly. When completing arguments of execute-assembly in CLI it happens to me that I autocomplete -assembly with tab, then press space and press tab again to see the available payloads. What happens though? -assembly 😀 As the payloads are available to the shift-enter menu it makes sense to have the assemblies available to the cli auto completion as well. :)
• There could be a kind of library for common arguments that are passed with each command. Not sure how this would look like during real engagements though. If the server persists multiple engagements you could build a "top N used arguments with your selected assembly", which would e.g. display sekurlsa::logonpasswords for mimikatz. Just thinking of nice additions to the UI here.

I hope my feedback makes sense to you 😄
Thanks again for the excellent presentation at your booth at Black Hat.

[its-a-feature]

When starting to type commands the UI could display a list of available commands. There is no "easy" way of exploring the features interactively. One would have to go through the documentation, which can of course also be a design decision. However, I like seeing the available commands in the list, as by concept of e.g. Apollo each implant might have a different subset of commands available.

Mythic used to have this actually, but it very quickly became a headache to maintain as the potential scenarios became unmanageable. For example, people would start typing, have that popup appear with possible commands, but your cursor would also happen to be in that area. You now hit enter to select an option, but do you select the top most one or what the user has hovered (intentionally or not). Scenarios like that (which actually happen) made it too annoying to be worth the effort. The new version works similarly to a CLI where you start typing, hit tab, and you can see matching options that you cycle through. In the next release I will add in the shift+tab and keeping the cursor at the end.

I have yet to play around with this, but how is the look and feel when you run execute-assembly and have multiple arguments that may contain dash commands itself? Would they look like the following?
execute-assembly -Assembly seatbelt.exe -arguments -this -looks -confusing -to -me 5
I can imagine this is hell for the parser. Ideas for this would be -- separation or quotes like
execute-assembly seatbelt.exe -- -this -looks -confusing -to -me 5 or
execute-assembly -Assembly seatbelt.exe -arguments "-this -looks -confusing -to -me 5"
I like the first option more, as it feels more cli like. However, user must be made aware of this usage

So this one kind of depends. If your execute-assembly command takes the -arguments parameter as an array, then you can do execute-assembly -Assembly seatbelt.exe -arguments -this -looks -confusing -to -me 5, execute-assembly -Assembly seatbelt.exe -arguments -this -arguments -looks -arguments -confusing, execute-assembly -Assembly seatbelt.exe -arguments "-this" "-looks" "-confusing" "-to" "-me" "5" and you'll get your array of elements, [-this, -looks, -confusing, -to, -me, 5] each time. If your arguments parameter is a string, then those will all get squashed into "-this -looks -confusing -to -me 5". There is a caveat to this though - Mythic's cli supports positional and named parameters, as well as if parameters are required or not. So depending on how you've defined things as part of your agent, you could even write execute-assembly seatbelt.exe -this -looks -confusing -to -me 5 and have it work as expected too. It all just depends on how the author defined their parameters and how they expect them to go to their agent. This is why it's super helpful, if you're unsure, to do a shift+enter to get the modal popup and see what the agent expects. You should treat raw CLI input as a "short-hand" and the modal as the source of truth since anything you do with a CLI has potential for errors, but the modal is already parsing and splitting things out for you.

The top navigation bar holds items like "Payloads and C2 Profiles" that do not open submenus as well as items that open up the second row of navigation. This is a bit confusing especially because the sorting of the second navigation bar is different than the main menu at the top.
The second navigation bar feels "doubled". It might make sense to group all top row items into one group element "agents" "implants" or whatsoever and then keep the second menu as it is.

I'm not quite sure I'm following what you mean here. Can you attach screenshots so I can see what you mean?

ok, found register_assembly. When completing arguments of execute-assembly in CLI it happens to me that I autocomplete -assembly with tab, then press space and press tab again to see the available payloads. What happens though? -assembly 😀 As the payloads are available to the shift-enter menu it makes sense to have the assemblies available to the cli auto completion as well. :)

Right now the CLI's auto-complete feature doesn't allow you to auto-complete parameter values, only parameter names. Those "assemblies" that you're seeing in the modal window are dynamically generated by calling a function that the agent author provides. It's not something Mythic knows ahead of time.

I still have to find the part of the UI where I can register new dotnet binaries. From the in-page help or notifications one cannot guess the right place to do this as far as I tried. Will read the documentation though. :)

to arbitrary host a file in Mythic, click the paperclip files icon at the top. That'll take you to the page for all file-based management (uploads, downloads, screenshots, filebrowser, etc). There's a button there to host a file. That being said, if you want to upload a file there and have it be available in something like that execute-assembly modal, the agent has to query more than just what's been uploaded in the current callback.

[cmprmsd]

For example, people would start typing, have that popup appear with possible commands, but your cursor would also happen to be in that area. You now hit enter to select an option, but do you select the top most one or what the user has hovered (intentionally or not).

That's true, when you do not validate if the mouse has been moved after the last keystroke. As a solution that fits both needs the following would be possible:

• Pressing tab opens the autocompletion menu
• just typing does not open any autocompletion

The current autocompletion that you mention does work like Powershell. That might be a matter of taste, as I prefer to see all matching options the the letters I already typed (like bash and zsh do it). Depends on your team of course. :)

You should treat raw CLI input as a "short-hand" and the modal as the source of truth since anything you do with a CLI has potential for errors, but the modal is already parsing and splitting things out for you.

Makes sense. I think I would have to find some edge cases in order to provide more feedback on this one. Maybe on my next engagement!

Can you attach screenshots so I can see what you mean?

I will do, as soon as I'm back from vacation 👍 Essentially there are two top bars at the moment, depending which part of the webinterface you browse.

It's not something Mythic knows ahead of time.

I'm sure it knows this information ahead of time as the dotnet assemblies show up, when I press shift+enter (the binaries are listed there). If this is parsed ad-hoc it could also be loaded e.g. on page load, right?

When I upload dotnet assemblies via the paperclip, they will not be registered for the auto completion in the "shft+enter"-menu. However, this will work, when I register a binary via ˋregister_assemblyˋ.

[cmprmsd]

@its-a-feature
Sorry, took a while for the screenshots :D

Regarding the screenshots:

This is confusing as sometimes you get the second menu bar, sometimes not.

Also on several parts the second menu is just not available

and lastly the currently active pane is only highlighted in the second bar, but not in your icon list (the top bar).

I find the bottom bar more intuitive as the names are always visible and the currently active view is also highlighted:

If you like we can also talk any time.