v1.6.0

Added

• Parrot specific web browsers through utls library
  • Use the agent's -parrot command line argument
  • Use the Makefile's PARROT= command line argument
  • Can be changed while the agent is already running
  • Examples include HelloChrome_102 or HelloRandomized
  • List of available strings
  • If a JA3 string is provided, the parrot string will be ignored

Changed

• Require Go v1.19
• The agent package New() function will only print errors to STDOUT instead of returning an error to ensure execution
• JA3 transports are now generated from clients/utls
• Upgraded go-clr to v1.0.3
• Upgraded quic-go to v0.30.0

Fixed

• Issue 20 - Manually get username & group for Windows
• Issue 21 - Resolved file download re-write error

Removed

• Removed ja3transport module and moved code into clients/utls

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.5.0

Added

• Added new SOCKS5 functionality

Changed

• Go v1.18 is now the minimum supported version
• Upgraded quic-go to v0.28.0
• Upgraded Go JOSE to v2.6.0
• The Send() of the ClientInterface interface returns a list of messages.Base instead of a single message
• Initial checkin immediately responds to first AgentInfo request after authenticating instead of after sleep time

Fixed

• Issue 17 - Ensure process structure pointer is not nil

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.4.2

Fixed

• Issue 9 - Replaced TokenGroup with TokenUser
• Issue 14 - Let writer close channel and don't try to close STDIN
• Issue 16 - Handle jobs.Results & jobs.AgentInfo in jobsHandler()

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.4.1

Added

• Go build tags to separate out Mythic client from standalone HTTP1/2/3 client
• Added SLEEP to Make file (e.g., make windows SLEEP=2m)

Fixed

• Issue 13 - Added byte slice variable as a workaround

Changed

• Upgraded quic-go to v0.27.0 for Go 1.18 support

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.4.0

Added

• Added a new memory command for Windows agents to read/write memory
  • Uses direct syscalls for NtReadVirtualMemory, NtProtectVirtualMemory, & ZwWriteVirtualMemory implemented using BananaPhone
  • The commands take module name (e.g., ntdll.dll) and a procedure name (e.g., EtwEventWrite) to target read/write operations
  • The read command will just read the specified number of bytes and return the results
  • The write command will just write the specified bytes without reading them first
  • The patch command will find a specified function, read the existing bytes, and then overwrite it with the provided bytes
• Added AmsiScanBuffer patch when loading assemblies into the agent process through the load-assembly command

Changed

• Upgraded go-clr package to tagged version 1.0.2

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.3.1

Added

• Added Garble builds to the Make file
  • windows-garble, linux-garble, & darwin-garble
  • THE SERVER MUST BE GARBLED WITH THE EXACT SAME SEED
  • Specify the seed at build with make windows-debug SEED=<your seed valuee>
• Added GetProcessWindowStation and GetThreadDesktop functions in the user32 package

Changed

• Renamed the SendMerlinMessage function of the ClientInterface to just Send()
• Modified CreateProcessWithToken function in the windows/os/pkg/tokens package to adjust the caller's station and
  desktop DACLs if the token user belongs to a different session

Fixed

• Issue 10 - The shell command now uses associated impersonation token
• Issue 11 - The token is now passed along with execution
• Issue 12 - If running as NT AUTHORITY\SYSTEM with an impersonation token, Call LogonUserW and then CreateProcessWithTokenW instead of CreateProcessWithLogon with Merlin's runas command

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.3.0

Changed

• Added the Integrity field to the Agent structure
• Added message padding to the following Mythic messages types for the Mythic client:
  • CheckIn
  • Tasking
  • PostResponse
  • RSARequest
  • PostResponseFile
  • PostResponseDownload

Added

• Added os.GetIntegrityLevel() to enumerate the agent's integrity level or elevated status
  • Windows: 2-Medium, 3-High, 4-System
  • All other OS: 3 - member of sudo group, 4 - running as root
• Added a random amount of message padding, up to the padding max value, to HTTP post requests for the Mythic client

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.2.1

Fixed

• Issue 6 - Message padding is now a random length instead of a fixed length
• Issue 7 - Windows Access Token now persists between commands

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.2.0

Added

• rm command to remove, or delete, files using native Go functions
• runas Windows command to create a process as another user with their password
• ssh Connect to a remote host over SSH and execute a command (non-interactive)
• token Windows command to interact with Windows Access Tokens
  • make Create a new token with a username and password; Unlisted make_token alias
  • privs List the current or remote process token privileges
  • rev2self Drop any created or stolen access token and revert to original configuration; Unlisted rev2self alias
  • steal Steal a token from another process; Unlisted steal_token alias
  • whoami Enumerate process and thread token username, logon ID, privilege count, token type, impersonation level, and integrity level
• New os/windows/api directory for operating system specific API and system calls
• New os/windows/pkg directory for functions that wrap operating system specific calls
• Added commands/os with Setup() and TearDown() functions to prep and release process space before executing any commands
  • Due to how the Go runtime works, stolen/created Windows access token must be applied/released for each run of a command
• Add both a -headers command line argument and HEADERS= Make parameter to add arbitrary HTTP headers
  • The flag takes in a new-line seperated (e.g., \n) list of headers
• FreeBSD Makefile build support from paullj1 in Pull 3
• Read STDIN for 500 milliseconds for agent argument from paullj1 in Pull 3

Changed

• Broke the commands/transfer.go file into commands/download.go and commands/upload.go
• The ls command can now handle Windows UNC paths
• The run, shell, execute-assembly, execute-pe, & execute-shellcode commands will use the Windows CreateProcessWithTokenW function call if a token was stolen/created
• Updated go-quic library to v0.24.0

Fixed

• Issue 117 - Added random padding to OPAQUE messages

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.1.0

Highlights

Added

• sdelete - Securely delete a file
• ps - Get a Windows process list
• touch - Timestomp a file
• netstat - List network connections
• pipes - List Windows named pipes
• env - View, add, remove environment variables
• uptime - View the host's uptime
• ifconfig/ipconfig - Prints host network adapter information.
• kill - Stop or kill a running process by its process ID (PID)

Changed

• The Merlin Agent config structure now takes a list of comma-separated URLs that the agent will rotate through

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin