Poopsie is a cross-platform C2 agent for the Mythic framework, written in Nim. It is designed to be lightweight, efficient, and feature-rich, making it suitable for red team operations across various environments.
- Cross-platform: Supports Windows and Linux
- Multiple C2 Profiles: http, httpx, websocket, dns, tcp, smb
- Token Impersonation: Full support for
make_tokenandsteal_tokenwith thread-level impersonation - Network Operations: UNC path support for remote file operations with impersonated credentials
- Process Injection: Advanced injection capabilities with
shinjectandinline_execute - SOCKS Proxy: Built-in SOCKS5 proxy support
- Assembly Execution: Load and execute .NET assemblies in-memory
- PowerShell: Execute PowerShell commands without
powershell.exevia PowerPick - Lightweight: Small binary size with optimized compilation flags
cat- Read file contents (supports UNC paths)cd- Change current directorycp- Copy files (supports UNC paths)download- Download files from target (supports UNC paths, chunked)ls- List directory contents (supports UNC paths via host parameter)mkdir- Create directories (supports UNC paths)mv- Move/rename files (supports UNC paths)pwd- Print working directoryrm- Remove files/directories (supports UNC paths via host parameter)upload- Upload files to target (supports UNC paths via host parameter, chunked)
execute_assembly- Execute .NET assemblies in-memoryinline_execute- Coff loader, execute beacon object files.powerpick- Execute PowerShell withoutpowershell.exeps- List running processespty- Spawn an interactive pseudo-terminalrun- Execute programs (respects impersonation tokens withCreateProcessAsUserW)shinject- Inject shellcode into remote processessleep- Adjust callback interval and jitter
make_token- Create logon session and impersonate user (supports bothLOGON32_LOGON_NEW_CREDENTIALSandLOGON32_LOGON_INTERACTIVE)rev2self- Revert to original process tokensteal_token- Duplicate and impersonate token from target processwhoami- Display current user context (shows impersonated user when active)
clipboard- Get current clipboard contents (Windows)clipboard_monitor- Monitor clipboard changes for a duration (Windows, background task)get_av- Enumerate installed antivirus products (Windows)portscan- Scan hosts for open TCP ports (background task, incremental scanning)screenshot- Capture screenshot of the desktop
donut- Execute .NET assemblies via donut-generated shellcode (Windows)inject_hollow- Inject shellcode into remote processes via process hollowing (Windows)
socks- Start/stop SOCKS5 proxy for pivoting
exit- Terminate the agent
To install Poopsie, you will need Mythic set up on a machine.
In the Mythic root directory, use mythic-cli to install the agent.
sudo ./mythic-cli install github https://github.com/MythicAgents/Poopsie
sudo ./mythic-cli payload start poopsieor
- Clone this repository
- From the Mythic server, run:
sudo ./mythic-cli install folder /path/to/Poopsie/ - Start the Mythic server:
sudo ./mythic-cli start
The agent is automatically built by Mythic when creating a payload. Compilation options include:
- Output Type: Executable (default), Shellcode, DLL, or Service
- Architecture: x64 or x86
- Security Options:
- Message encryption (AES-256)
- Payload compression (UPX)
- Shellcode encryption (XOR variants, RC4, ChaCha20)
- Evasion Options:
- Debug Mode - Enable detailed logging for troubleshooting
- Sleep Obfuscation - Configure sleep obfuscation technique (Ekko for x64 Windows)
- Self Delete - Optional self-deletion after execution (Windows & Linux)
- Daemonize - Hide console window or run in background
Poopsie is written in Nim and uses:
winim/leanfor Windows API bindingsstd/jsonfor Mythic protocol communication- Cross-compilation with MinGW for Windows targets
- Author: @haha150
- Poopsie is inspired by and incorporates techniques from various open-source projects in the red team community.
- Your friendly neighborhood LLM
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}