{
	"id": "56617433-7e50-4bab-a80a-005b1aace28a",
	"created_at": "2026-04-06T00:14:23.019235Z",
	"updated_at": "2026-04-10T03:20:17.382912Z",
	"deleted_at": null,
	"sha1_hash": "f9a07b7d88f14bc9fcccb6e7a2663fb543715735",
	"title": "GitHub - MythicAgents/Apollo: A .NET Framework 4.0 Windows Agent",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 269350,
	"plain_text": "GitHub - MythicAgents/Apollo: A .NET Framework 4.0 Windows\r\nAgent\r\nBy its-a-feature\r\nArchived: 2026-04-05 21:41:25 UTC\r\nApollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps\r\ntraining offerings.\r\nInstallation\r\nTo install Apollo, you'll need Mythic installed on a remote computer. You can find installation instructions for\r\nMythic at the Mythic project page.\r\nFrom the Mythic install directory, use the following command to install Apollo as the root user:\r\n./mythic-cli install github https://github.com/MythicAgents/Apollo.git\r\nFrom the Mythic install directory, use the following command to install Apollo as a non-root user:\r\nsudo -E ./mythic-cli install github https://github.com/MythicAgents/Apollo.git\r\nOnce installed, restart Mythic to build a new agent.\r\nNotable Features\r\nP2P Communication\r\nCredential Tracking and Manipulation\r\nUnmanged PE, .NET Assembly, and PowerShell Script Execution\r\nUser Exploitation Suite\r\nSOCKSv5 Support\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 1 of 11\n\nAdvanced HTTPX Profile with Malleable Configuration Support\r\nMessage Transform Support (Base64, NetBIOS, XOR, etc.)\r\nDomain Rotation and Proxy Support\r\nCommands Manual Quick Reference\r\nCommand Syntax Description\r\nassembly_inject\r\nassembly_inject -PID [pid] -Assembly\r\n[assembly] -Arguments [args]\r\nExecute .NET assembly in\r\nremote process.\r\nblockdlls blockdlls -EnableBlock [false]\r\nBlock non-Microsoft signed\r\nDLLs from loading into post-ex\r\njobs.\r\ncat cat -Path [file] Retrieve the output of a file.\r\ncd cd -Path [dir] Change working directory.\r\ncp\r\ncp -Path [source] -Destination\r\n[destination]\r\nCopy a file from path to\r\ndestination.\r\ndcsync\r\ndcsync -Domain contoso.local [-User\r\nusername -DC dc.ip]\r\nDCSync one or more user\r\ncredentials\r\ndownload\r\ndownload -Path [path] [-Host\r\n[hostname]]\r\nDownload a file off the target\r\nsystem.\r\nexecute_assembly\r\nexecute_assembly -Assembly\r\n[assembly.exe] -Arguments [args]\r\nExecute a .NET assembly\r\nregistered with register_file\r\nexecute_coff\r\nexecute_coff -Coff [object.x64.o] -\r\nFunction [go] -Timeout [30] [-Arguments\r\n[args]]\r\nExecute a object file (BOF) that's\r\nbeen registered with\r\nregister_file\r\nexecute_pe\r\nexecute_pe -PE [binary.exe] -Arguments\r\n[args]\r\nExecute a statically compiled\r\nexecutable that's been registered\r\nwith register_file\r\nexit exit Task agent to exit.\r\nget_injection_techniques get_injection_techniques\r\nShow currently registered\r\ninjection techniques as well as\r\nthe current technique.\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 2 of 11\n\nCommand Syntax Description\r\ngetprivs getprivs\r\nEnable as many privileges as\r\npossible for the current access\r\ntoken.\r\nifconfig ifconfig\r\nGet Network Adapters and\r\nInterfaces\r\ninject inject\r\nInject a new payload into a\r\nremote process.\r\ninline_assembly\r\ninline_assembly -Assembly\r\n[Assembly.exe] -Arguments [Additional\r\nArgs]\r\nExecute a .NET assembly in the\r\ncurrently executing process that's\r\nbeen registered with\r\nregister_file\r\njobkill jobkill [jid] Kill a running job in the agent.\r\njobs jobs List all running jobs.\r\nkeylog_inject keylog_inject -PID [pid]\r\nInject a keylogger into a remote\r\nprocess.\r\nkill kill -PID [pid]\r\nAttempt to kill the process\r\nspecified by [pid] .\r\nlink link\r\nLink to a P2P agent via SMB or\r\nTCP. Modal popup only.\r\nload load command1 command2 ...\r\nLoad new commands into the\r\nagent.\r\nls ls [-Path [path]]\r\nList files and folders in [path] .\r\nDefaults to current working\r\ndirectory.\r\nmake_token make_token\r\nImpersonate a user using\r\nplaintext credentials. Modal\r\npopup.\r\nmimikatz mimikatz -Command [args]\r\nExecute Mimikatz with the\r\nspecified arguments.\r\nmkdir mkdir -Path [dir] Create a directory.\r\nmv\r\nmv -Path [source] -Destination\r\n[destination]\r\nMove a file from source to\r\ndestination. Modal popup.\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 3 of 11\n\nCommand Syntax Description\r\nnet_dclist net_dclist [domain.local]\r\nList all domain controllers for the\r\ncurrent or specified domain.\r\nnet_localgroup_member\r\nnet_localgroup_member -Group\r\n[groupname] [-Computer [computername]]\r\nRetrieve membership information\r\nfrom a specified group on a given\r\ncomputer.\r\nnet_localgroup net_localgroup [computer]\r\nRetrieve local groups known by a\r\ncomputer. Default to localhost.\r\nnet_shares net_shares [-Computer [computer]] Show shares of a remote PC.\r\nnetstat\r\nnetstat [-Tcp -Udp -Established -\r\nListen]\r\nGet TCP and UDP connections\r\npowerpick powerpick -Command [command]\r\nExecutes PowerShell in a\r\nsacrificial process.\r\npowershell powershell -Command [command]\r\nExecutes PowerShell in your\r\ncurrently running process.\r\npowershell_import powershell_import\r\nRegister a new .ps1 file to be\r\nused in other PowerShell jobs\r\nppid ppid -PID [pid_integer]\r\nSet the PPID of sacrificial jobs to\r\nthe specified PID.\r\nprintspoofer printspoofer -Command [command]\r\nExecute a command in SYSTEM\r\nintegrity so long as you have\r\nSeImpersonate privileges.\r\nps ps List process information.\r\npsinject\r\npsinject -PID [pid] -Command\r\n[command]\r\nExecutes PowerShell in the\r\nprocess specified by [pid] .\r\nNote: Currently stdout is not\r\ncaptured of child processes if not\r\nexplicitly captured into a variable\r\nor via inline execution (such as\r\n$(whoami) ).\r\npth\r\npth -Domain [domain] -User [username]\r\n-NTLM [ntlm_hash] [-AES128 [aes128_key]\r\n-AES256 [aes256_key] -Run\r\n[program.exe]]\r\nUse mimikatz 's pth module to\r\nspawn a process with alternate\r\ncredentials.\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 4 of 11\n\nCommand Syntax Description\r\npwd pwd Print working directory.\r\nreg_query\r\nreg_query -Hive\r\n[HKCU:\\|HKU:\\|HKLM:\\|HKCR:\\] [-Key\r\n[keyname]]\r\nQuery all subkeys of the\r\nspecified registry path. Needs to\r\nbe of the format HKCU:\\ ,\r\nHKLM:\\ , or HKCR:\\ .\r\nreg_write_value\r\nreg_write_value -Hive\r\n[HKCU:\\|HKU:\\|HKLM:\\|HKCR:\\] -Key\r\n[keyname] [-Name [value_name] -Value\r\n[value_value]]\r\nWrite specified values to the\r\nregistry keys.\r\nregister_assembly register_assembly\r\nRegister a .NET assembly with\r\nthe agent to be used in .NET\r\npost-exploitation activities\r\nregister_file register_file\r\nRegister a file to the agent's file\r\ncache. Used to store assemblies,\r\nexecutables, and PowerShell\r\nscripts.\r\nrev2self rev2self\r\nRevert the access token to the\r\noriginal access token.\r\nrm\r\nrm -Path [path] [-Host [hostname] -\r\nFile [filename]]\r\nRemove a file specified by\r\n[path] . Alternatively, if -\r\nFile is provided, -Path will be\r\nused as the directory, and -File\r\nwill be the filename.\r\nrun\r\nrun -Executable [binary.exe] -\r\nArguments [args]\r\nRuns the binary specified by\r\n[binary.exe] with passed\r\narguments (if any).\r\nsc\r\nsc [-Query|-Start|-Stop|-Create|-\r\nDelete] [-Computer [computername] -\r\nDisplayName [display_name] -ServiceName\r\n[servicename] -BinPath [binpath]]\r\n.NET implementation of the\r\nService Control Manager.\r\nscreenshot_inject\r\nscreenshot_inject -PID [pid] [-\r\nInterval [int] -Count [int]]\r\nGet a screenshot of the desktop\r\nsession associated with PID\r\nevery Interval seconds for\r\nCount screenshots.\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 5 of 11\n\nCommand Syntax Description\r\nscreenshot screenshot\r\nGet a screenshot of the current\r\nscreen.\r\nset_injection_technique set_injection_technique [technique]\r\nSet the injection technique used\r\nin post-ex jobs that require\r\ninjection.\r\nshell shell [command]\r\nRun a shell command which will\r\ntranslate to a process being\r\nspawned with command line:\r\ncmd.exe /S /c [command]\r\nshinject shinject\r\nInject given shellcode into a\r\nspecified pid. Modal popup only.\r\nsleep sleep [seconds]\r\nSet the callback interval of the\r\nagent in seconds.\r\nsocks socks -Port [port]\r\nStandup the socks server to proxy\r\nnetwork traffic, routable via\r\nMythic on [port] .\r\nspawn spawn\r\nSpawn a new callback in the\r\npostex process specified by\r\nspawnto_* .\r\nspawnto_x64\r\nspawnto_x64 -Application [path] -\r\nArguments [args]\r\nSets the process used in jobs\r\nrequiring sacrificial processes to\r\nthe specified [path] with\r\narguments [args] .\r\nspawnto_x86\r\nspawnto_x86 -Application [path] -\r\nArguments [args]\r\nSets the process used in jobs\r\nrequiring sacrificial processes to\r\nthe specified [path] with\r\narguments [args] .\r\nsteal_token steal_token [pid]\r\nAttempts to steal the process's\r\nprimary token specified by\r\n[pid] and apply it to our own\r\nsession.\r\nunlink unlink\r\nUnlink a callback linked to via\r\nthe link command. Modal\r\npopup only.\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 6 of 11\n\nCommand Syntax Description\r\nupload upload\r\nUpload a file to a remote path on\r\nthe machine. Modal popup only.\r\nwhoami whoami\r\nReport access token for local and\r\nremote operations.\r\nSupported C2 Profiles\r\nHTTP Profile\r\nThe HTTP profile calls back to the Mythic server over the basic, non-dynamic profile. When selecting options to\r\nbe stamped into Apollo at compile time, all options are respected with the exception of those parameters relating\r\nto GET requests.\r\nHTTPX Profile\r\nAdvanced HTTP profile with malleable configuration support and message transforms. Provides significantly\r\nmore flexibility and OPSEC benefits compared to the basic HTTP profile, making it ideal for red team operations.\r\nSMB Profile\r\nEstablish communications over SMB named pipes. By default, the named pipe name will be a randomly generated\r\nGUID.\r\nTCP Profile\r\nEstablish communications over a specified network socket. Note: If unelevated, the user may receive a prompt to\r\nallow communications from the binary to occur over the network.\r\nWebSocket Profile\r\nEstablish communications over WebSocket connections for real-time bidirectional communication.\r\nSOCKSv5 Support\r\nApollo can route SOCKS traffic regardless of what other commands are compiled in. To start the socks server,\r\nissue socks -Port [port] . This starts a SOCKS server on the Mythic server which is proxychains4\r\ncompatible. To stop the SOCKS proxy, navigate to the SOCKS page in the Mythic UI and terminate it.\r\nQuality of Life Improvements\r\nFile Triage\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 7 of 11\n\nThe ls command reports back a wealth of information and allows operators to easily copy file paths and\r\nexamine permissions of files, in addition to being able to sort and filter files. Clicking the icon under the ACLs\r\ncolumn will show all the permissions of a file. Additionally, this hooks into Mythic's native file browser.\r\nThis shows typical ls output:\r\nInterfaces with Mythic's filebrowser and caches data server-side:\r\nProcess Listings\r\nWhen issuing ps , additional details are retrieved such as:\r\nCompany name of the process executable\r\nDescription of the process executable\r\nFull path of the process\r\nIntegrity level of the process\r\nDesktop session\r\nProcess command line arguments\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 8 of 11\n\nThis process listing also interfaces with Mythic's builtin process browser, which allows you to see process trees\r\nmore easily.\r\nLastly, the associated browser script will do row highlighting based on the process's name (in a one-to-one port of\r\nthis script)\r\nPortable Executable, Assembly, and PowerShell Script Caching\r\nApollo can cache files for expeditious task execution. In general, control flow follows the register_file\r\ncommand followed by whatever command you wish to execute ( execute_assembly , powerpick , execute_pe ,\r\netc.). These files are cached client side via DPAPI encrypted AES256 blobs, preventing their signatures being\r\nexposed outside of task execution.\r\nDynamic Injection Techniques\r\nThe agent can change what code injection technique is in use by post-exploitation jobs that require injection\r\nthrough a suite of injection commands. Currently, injection techniques that are supported:\r\nCreateRemoteThread\r\nQueueUserAPC (Early Bird)\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 9 of 11\n\nJob Tracking\r\nAgent jobs are tracked by job ID, by command, and by the arguments passed to the command so that you know\r\nwhat job correlates to what tasking.\r\nArtifact Tracking\r\nCommands that manipulate the disk, create new logons, or spawn new processes will document those changes in\r\nthe Artifact Reporting page as shown below.\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 10 of 11\n\nAnd more!\r\nThere's a number of niceities that come with pairing an agent to Mythic - too many to list in one README. Install\r\nthe agent and see for yourself!\r\nSpecial Thanks\r\nA big thanks goes to those who have contributed to the project in both major and minor ways.\r\nCody Thomas, @its_a_feature_\r\nCalvin Hedler, @001SPARTaN\r\nLee Christensen, @tifkin_\r\nBrandon Forbes, @reznok\r\nThiago Mayllart, @thiagomayllart\r\nMatt Hand, @matterpreter\r\nHope Walker, @IceMoonHSV\r\nJack Ullrich, @winternl_t\r\nElad Shamir, @elad_shamir\r\nBen Turner @benpturner\r\nIan Wallace @strawp\r\nm0rv4i @m0rv4i\r\nHarley Lebeau @r3dQu1nn\r\nAntonio Quina @st3r30byt3\r\nSean Pierce @secure_sean\r\nEvan McBroom, @EvanMcBroom\r\nMatt Ehrnschwender, @M_alphaaa\r\nSource: https://github.com/MythicAgents/Apollo\r\nhttps://github.com/MythicAgents/Apollo\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/MythicAgents/Apollo"
	],
	"report_names": [
		"Apollo"
	],
	"threat_actors": [],
	"ts_created_at": 1775434463,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9a07b7d88f14bc9fcccb6e7a2663fb543715735.pdf",
		"text": "https://archive.orkl.eu/f9a07b7d88f14bc9fcccb6e7a2663fb543715735.txt",
		"img": "https://archive.orkl.eu/f9a07b7d88f14bc9fcccb6e7a2663fb543715735.jpg"
	}
}