Ateeq Sharfuddin

June 3, 2021

An In-memory Embedding of CPython with SCYTHE

In this blog we discuss a project we are open sourcing: An In-memory Embedding of CPython. We provide a brief overview of this research and also share our results with the community. A paper [1] on this research was accepted in the USENIX Workshop on Offensive Technologies (WOOT 2021), which was co-located with IEEE Security and Privacy Workshops this year.

Read Now

April 30, 2021

Loading Capabilities from Memory: Open Sourcing SCYTHE's Windows C In-memory Module Loader

There are three well-known mechanisms a program can choose to use other software [3]: static linking, dynamic linking, and dynamic loading. In Windows, dynamic linking and dynamic loading are handled by the Windows loader, and are done at load time and runtime, respectively.

Read Now

July 8, 2020

Under the Hood: SCYTHE Architectural Overview (Part 1)

Hey, this is Ateeq Sharfuddin, head of the engineering team at SCYTHE. Our team has spent the better part of the past year developing significant improvements for version 3 of the SCYTHE platform. As the threat landscape, including adversary tactics, techniques, and procedures (TTPs), constantly evolves, developing an adversary emulation platform must be similarly agile and updated.

Read Now

February 13, 2020

Breaking Imphash

Signaturing is a technique used to associate a unique value to a malware. Roughly, when an enterprise’s security sensor comes across a file, it computes the file’s signature and chooses to deny access if this signature is in the sensor’s set of known malware signatures.

Read Now


July 26, 2021

Adaptive Adversary Emulation (Part 1): Execution Details

Back in 2019 at the inaugural SANS Purple Team Summit I gave a talk titled “Adaptive Adversary Emulation with MITRE ATT&CK®”. In the talk I go over how small changes to adversary emulation plans can provide significant results and allow a deliberate approach to generating iterative tests.

Read Now

July 22, 2021

You can’t detect 0-day exploits but… you can detect what happens next

A zero day (or 0-day) is a vulnerability that is not known by the software vendor nor the end users. They are a great way to gain initial access into an organization without being detected. Zero days are rarely used in widespread attacks as they are a high cost to the attacker (identifying a vulnerability that has a high chance of successful exploitation).

Read Now

July 22, 2021

Malicious Uses of Blockchains

SCYTHE’s engineering team shares their most recent article on the malicious uses of Blockchains. Here’s why this is important: Cryptocurrencies are discussed often, but few understand what they are or how they work. The engineering team defines each cryptocurrency type in detail.

Read Now