From 670fd19ea3dc343f78c74f25a0791dc879ed8521 Mon Sep 17 00:00:00 2001
From: johnk3r <johnatan2camargo@gmail.com>
Date: Fri, 8 Sep 2023 17:29:36 -0300
Subject: [PATCH] Create mythic-c2-ssl.yaml

---
 ssl/c2/mythic-c2-ssl.yaml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 ssl/c2/mythic-c2-ssl.yaml

diff --git a/ssl/c2/mythic-c2-ssl.yaml b/ssl/c2/mythic-c2-ssl.yaml
new file mode 100644
index 0000000000..c8881d969c
--- /dev/null
+++ b/ssl/c2/mythic-c2-ssl.yaml
@@ -0,0 +1,31 @@
+id: mythic-c2-ssl
+
+info:
+  name: Mythic C2 SSL - Detect
+  author: johnk3r
+  severity: info
+  description: |
+    Mythic is a multiplayer, command and control platform for red teaming operations
+  reference: |
+    https://docs.mythic-c2.net
+    https://www.team-cymru.com/post/mythic-case-study-assessing-common-offensive-security-tools
+  metadata:
+    max-request: 1
+    verified: "true"
+    shodan-query: ssl:"Mythic"
+    censys-query: services.tls.certificates.leaf_data.issuer.common_name:Mythic
+  tags: c2,ir,osint,malware
+
+ssl:
+  - address: "{{Host}}:{{Port}}"
+
+    matchers:
+      - type: word
+        part: issuer_dn
+        words:
+          - "O=Mythic"
+
+    extractors:
+      - type: json
+        json:
+          - " .issuer_dn"