Christopher Peacock

July 28, 2022

Threat Emulation: Qakbot

Welcome to the July 2022 SCYTHE #ThreatThursday! This edition features an emulation of Qakbot, a piece of malware that is no stranger to the threat intel community.

Read Now

June 30, 2022

Windows Telemetry Persistence

June’s Threat Thursday will focus on a unique persistence method that is not widely used by threat actors, but works all the way through at least Windows 11 21H2. In 2020 a few researchers from TrustedSec outlined a unique method of persistence that leverages Windows Telemetry.

Read Now

May 26, 2022

Threat Emulation: Industroyer2 Operation

Welcome to the May 2022 SCYTHE #ThreatThursday! This month we are featuring the recent Industroyer2 operation observed in Ukraine with a new campaign. Per the reporting from ESET, the Sandworm threat actor group was most likely responsible for deploying the Industroyer2 malware.

Read Now

May 2, 2022

Adaptive Emulation (Part 2): Execution Methods

This is part 2 of our adversary emulation lead, Tim Schulz's series on adaptive emulation.

Read Now


May 30, 2022

Breaking: Follina (MSDT) Vulnerability

There’s a new vulnerability abusing the ms-msdt protocol handler to execute arbitrary code in Office. Since “msdt vulnerability” is hard to track, Kevin Beaumont dubbed this vulnerability Follina (and we’ll continue to use that nomenclature in this post).

Read Now

May 20, 2022

Version 3.7 of the SCYTHE Platform Released - Demo Video

Now you can easily collaborate with Blue Teams to strengthen cyber defenses. Be more effective and efficient with a centralized dashboard and enhancements to user experience.

Read Now

May 17, 2022

F5 Big-IP appliances vulnerability - Follow-up

Last week, SCYTHE released emulation plans detailing post-exploitation activity by threat actors targeting F5 Big-IP appliances (CVE-2022-1388). To add to the fun, SCYTHE’s own Brandon Radosevich created a module to test for the F5 Big-IP vulnerability. SCYTHE normally focuses exclusively on post-exploitation and vulnerability scanning really isn’t our thing. This is the second time SCYTHE has built vulnerability scanning modules (the other being log4j).

Read Now