UnICORN Library

SCYTHE aims to educate and engage in order to inspire the art of the possible in cybersecurity. Adversarial threats, risk management, and security innovation don’t pause when working from home. We have curated a collection of presentations, research, and conversations from our team. Come enjoy our library and stay tuned for the new unicorn content that will be added regularly.

Blog Post

New!

July 26, 2021

Adaptive Adversary Emulation (Part 1): Execution Details

Back in 2019 at the inaugural SANS Purple Team Summit I gave a talk titled “Adaptive Adversary Emulation with MITRE ATT&CK®”. In the talk I go over how small changes to adversary emulation plans can provide significant results and allow a deliberate approach to generating iterative tests.

VIEW

Blog Post

New!

July 22, 2021

You can’t detect 0-day exploits but… you can detect what happens next

A zero day (or 0-day) is a vulnerability that is not known by the software vendor nor the end users. They are a great way to gain initial access into an organization without being detected. Zero days are rarely used in widespread attacks as they are a high cost to the attacker (identifying a vulnerability that has a high chance of successful exploitation).

VIEW

Blog Post

New!

July 22, 2021

Malicious Uses of Blockchains

SCYTHE’s engineering team shares their most recent article on the malicious uses of Blockchains. Here’s why this is important: Cryptocurrencies are discussed often, but few understand what they are or how they work. The engineering team defines each cryptocurrency type in detail.

VIEW

Blog Post

New!

July 21, 2021

Gravwell Integration with SCYTHE

Enterprise-grade platforms have to integrate with other enterprise solutions in order to be effective and efficient for the end user. SCYTHE focuses on providing business value through adversary emulation and showing whether security tools and controls are properly implemented and tuned to detect malicious behavior.

VIEW

Blog Post

New!

July 19, 2021

Beachhead Access in Industrial Control Systems

Attackers will continue to attack industrial control systems (ICS) because they can get the biggest “bang for their buck.” They want to disrupt critical infrastructure either for financial gain or to cause social chaos. Threat modeling gives organizations a way to reduce cybersecurity risk without leading to costly system outages.

VIEW

Blog Post

New!

July 15, 2021

SCYTHE provides new insights on Vulnerability Assessments in TAG Cybers New Report

SCYTHE has been selected by TAG Cyber on behalf of our leadership in the cybersecurity industry and our management of information as a technology solution provider to participate in the creation of its newest report. This report contains vital information regarding vulnerability and identity management, data breaches, and more

VIEW

Blog Post

New!

July 15, 2021

Exfiltration Over Alternative Protocol

Blue Teamers, have you been looking for an automated method of discovery for ports that are allowed in outbound, North/ South (egress) traffic within your network? Your search is over! SCYTHE’s Marketplace offers a free module, Let Me Out (LMO), a SCYTHE port of mubix’s Let Me Out project. This module tests egress traffic for specific ports.

VIEW

Video

New!

July 13, 2021

Attack, Detect, and Respond a UniChat with Ed Amoroso and Bryson Bort

This UniChat was something special. SCYTHE Founder and CEO, Bryson Bort sat down to discuss Attack, Detect, and Respond with ADR collaborator and friend, Ed Amoroso. Ed is the CEO of TAG Cyber, a cyber expert, and a long-time friend. Bort and Amoroso opened the UniChat by sharing the story of ADR and how it originated. Attack, Detect, and Respond was born out of a need for companies to prioritize aligning risk assessments with business.

VIEW

#ThreatThursday

New!

July 8, 2021

Threat Thursday - Exfiltration Over Web Service: Exfiltration to Cloud Storage

This #ThreatThursday is all about leveraging cloud storage to exfiltrate data. We also cover a tool that leaves credentials unsecured on the file system. In particular, we are going to look at how threat actors leverage cloud services like MEGA and use open source tools like rclone to exfiltrate data.

VIEW

#ThreatThursday

New!

June 24, 2021

Threat Thursday Top Ransomware TTPs

At SCYTHE we are constantly collaborating with industry experts and organizations. Recently, someone reached out as they are building out a ransomware readiness assessment. “We are looking for a consolidated mapping of major ransomware actors on the ATT&CK framework, like SCYTHE does for individual actors on #ThreatThursday.

VIEW

#ThreatThursday

New!

June 17, 2021

Threat Thursday - Evading Defenses with ISO files like NOBELIUM

Microsoft released a blog post late on Thursday May 27, 2021 about a new sophisticated email-based attack from NOBELIUM, the SolarWinds threat actor, where they compromised Constant Contact to send malicious emails with a weaponized ISO file.For this post, we look at the recent attack from NOBELIUM and show how to emulate these techniques with SCYTHE. We also committed an atomic test to the Atomic Red Team project.

VIEW

Blog Post

New!

June 17, 2021

TSA Pipeline Security Guidelines and ADR

In April 2021, the Transportation Security Administration (TSA) updated its TSA Pipeline Security Guidelines. The Colonial Pipeline ransomware attack means more attention will be paid to the cybersecurity posture of the oil and natural gas (ONG) industry. Understanding the changes to the TSA Pipeline Security Guidelines shows how Attack, Detect, and Response (ADR) can enhance security.

VIEW

Blog Post

New!

June 9, 2021

The Real Costs of Ransomware: Direct Costs

Ransomware is a growing problem for organizations of all sizes and it is becoming a national security threat. As threat actors continue to look for new ways to hold companies and data hostage, security teams can feel like they’re always one step behind.

VIEW

Announcement

New!

June 8, 2021

SCYTHE is proud to be recognized on the CyberTech100 for 2021

SCYTHE is honored and inspired to be listed among the many exceptional companies named on the CyberTech100 List for 2021. Our hats go off to each company that rose to the challenge of combating one of the most active years in cyber-attacks during 2021, and we look forward to continuing to rise to the occasion, as we face challenges in the years to come.

VIEW

CISO Stressed

New!

June 8, 2021

CISO Stressed Episode 5: Nick Andersen

On this episode of CISO STRESSED, Elizabeth Wharton SCYTHE Chief of Staff is joined by Nick Andersen, CISO for Public Sector at Lumen Technologies and Nonresident Senior Fellow with the Cyber Statecraft Initiative at the Atlantic Council.

VIEW

Blog Post

New!

June 7, 2021

SCYTHE & ATT&CK Navigator

How are Blue Teams utilizing SCYTHE? One way the Blue Team can use SCYTHE is by reviewing its reporting. SCYTHE’s reports can be used by the Blue Team in determining how gaps in security controls can be mitigated. In this post, we will be discussing the MITRE ATT&CK Navigator and NIST 800 Navigator Summary reports.

VIEW

Announcement

New!

June 4, 2021

SCYTHE and PlexTrac Integration

VIEW

Blog Post

New!

June 3, 2021

An In-memory Embedding of CPython with SCYTHE

In this blog we discuss a project we are open sourcing: An In-memory Embedding of CPython. We provide a brief overview of this research and also share our results with the community. A paper [1] on this research was accepted in the USENIX Workshop on Offensive Technologies (WOOT 2021), which was co-located with IEEE Security and Privacy Workshops this year.

VIEW

#ThreatThursday

New!

May 27, 2021

Threat Thursday - Conti Ransomware

For this #ThreatThursday we are looking at one of the most common ransomware threat actors, Conti. We are leveraging Cyber Threat Intelligence from a new partner, TrukNo, that provides adversary behavior all the way down to the procedure level, facilitating the creation of adversary emulation plans so that you can test against these behaviors in your production environment more efficiently.

VIEW

Blog Post

New!

May 24, 2021

Introducing the Purple Team Maturity Model

Today we are proposing a preliminary answer to that question, which initially started out as Advanced Purple Teaming and evolved into something even larger in scope (sidenote: Advanced Purple Teaming is coming). Our answer is what we are calling the Purple Maturity Model.

VIEW

Announcement

New!

May 21, 2021

We joined 18 other companies to call for a prioritization of Critical Infrastructure security in the American Jobs Plan.

What a time to be alive. A group letter has been created and sent, asking Congress and the Biden Administration to prioritize cybersecurity in infrastructure legislation SCYTHE would like to thank each of the 19 companies that signed the letter for taking the initiative to strengthen the US infrastructure.

VIEW

Blog Post

New!

May 14, 2021

Why assume breach?

Are you wondering why you and your organization should assume breach? SCYTHE’s Adversary Emulation Lead Tim Schulz answers this frequently asked question, and covers scenarios in which using an assumed breach model can help focus on strengthening detection capabilities.

VIEW

New!

May 11, 2021

The Difference Between Cybersecurity Simulation vs Cybersecurity Emulation

Knowing the different between cybersecurity simulation and cybersecurity emulation helps enhance information security posture by validating teams and tools.

VIEW

CISO Stressed

New!

May 10, 2021

CISO Stressed Episode 4: SCYTHE Chief of Staff Elizabeth Wharton interviews Dr. Pablo Breuer.

On this episode of CISO STRESSED, SCYTHE Chief of Staff Elizabeth Wharton interviews Pablo Breuer, CISO of Security BSides Las Vegas.

VIEW

Blog Post

New!

May 10, 2021

Backdoors and Breaches Expansion Deck

You have heard us say this many times, security is about people, process, and technology. SCYTHE allows you to test, measure, and improve all three. One way that we facilitate training people about what an attack looks like is to display the adversary emulation plan, step by step, prior to execution.

VIEW

#ThreatThursday

New!

May 10, 2021

#ThreatThursday - DarkSide Ransomware

In this blog we consume Cyber Threat Intelligence to understand how the DarkSide ransomware behaves, we create and share an adversary emulation plan so you can quickly test, measure, and improve your people, process, and technology for similar attacks, and we discuss how to detect and respond to DarkSide ransomware.

VIEW

Blog Post

New!

April 30, 2021

Loading Capabilities from Memory: Open Sourcing SCYTHE's Windows C In-memory Module Loader

There are three well-known mechanisms a program can choose to use other software [3]: static linking, dynamic linking, and dynamic loading. In Windows, dynamic linking and dynamic loading are handled by the Windows loader, and are done at load time and runtime, respectively.

VIEW

#ThreatThursday

New!

April 29, 2021

Florida Water Plant Breach

TeamViewer was at the forefront of an attack on a Florida water facility in February 2021. A malicious actor logged into the water treatment facility’s computer system through the remote desktop software and tried to increase the amount of sodium hydroxide to a dangerous level.

VIEW

New!

April 19, 2021

SCYTHE Named 2021 TAG Cyber Distinguished Vendor

SCYTHE is proud to be an industry leader in breach and attack prevention, and would like to announce our designation as a Distinguished Vendor in this year’s Second Quarter 2021 TAG Cyber Security Quarterly.

VIEW

Blog Post

New!

April 19, 2021

Vulnerability Management is Hard! Using CVSS and other scoring to prioritize patching

Vulnerability prioritization focuses on the real, urgent vulnerabilities that need to be patched at a much faster timeline than the "business as usual". This post covers various methods to determine which of those vulnerabilities fall into this category of "patch now":

VIEW

New!

April 15, 2021

UniCon21 Recap

It was a day packed with amazing presentations as we celebrated National Unicorn Day. UniCon21 is a free virtual conference for the security researcher and defender community. Check out all the UniCon21 videos.

VIEW

Blog Post

New!

April 15, 2021

Using SCYTHE payload as Shellcode

Guest blog post by one of our partners, Jean-Maes from NVISO. During Unicon21, I (Jean-Maes) presented how I leverage the D/Invoke project from TheWover to load a SCYTHE campaign using the SCYTHE DLL that is automatically created for each campaign.

VIEW

Blog Post

New!

April 7, 2021

Adversary Emulation Metrics Time to Detect

Offensive security professionals and program coordinators have a learning curve as they mature through the different ethical hacking assessment types. In Vulnerability Assessment/Management and Penetration Testing, we use Common Vulnerabilities and Exposures (CVE IDs) and the Common Vulnerability Scoring System (CVSS) to report a finding using two criteria:

VIEW

Blog Post

New!

April 2, 2021

Setting up SCYTHE-VECTR integration

Many SCYTHE customers like to track their red and purple team exercises in a free reporting tool called VECTR. VECTR is maintained by Security Risk Advisors and we have been working with them on integrations for over a year. Naturally, we help our customers set up VECTR so that they can import SCYTHE campaigns more easily. This is a quick start guide that should help you set up VECTR with SCYTHE integration.

VIEW

#ThreatThursday

New!

March 25, 2021

Threat Thursday - Lazarus

The Lazarus Group (aka HIDDEN COBRA/Guardians of Peace/ZINC/NICKEL ACADEMY)! Lazarus was an extremely active adversary in 2020 and has continued to build capability over the past decade. They are responsible for many high profile hacks seen over the years, such as the Sony hack in 2014. Lazarus Group has been attributed as a North Korean state sponsored hacking group by the FBI.

VIEW

Blog Post

New!

March 2, 2021

Defense Evasion with SCYTHE

“Do you have any tips and tricks to avoiding Anti Virus (AV) and Endpoint Detection and Response (EDR) for initial execution so we can focus on testing the post access adversary behaviors with SCYTHE?” We get this question all the time and figured we should share the answer(s) here in our library. While we will focus on doing this with SCYTHE, you can apply these practices to other tools as well.

VIEW

#ThreatThursday

New!

February 25, 2021

#ThreatThursday - menuPass with special guest Shane Patterson

For this #ThreatThursday is menuPass! Tim Schulz caught up with Shane Patterson to discuss MITRE Engenuity's plan release, challenges in creating emulation plans, and what makes this threat unique!

VIEW

#ThreatThursday

New!

February 25, 2021

#ThreatThursday - menuPass

For this Threat Thursday we are going to look at menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium/Cloud Hopper), a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.

VIEW

Blog Post

New!

February 18, 2021

How to Defend Against Ransomware

At the RSA Conference in 2020, I gave a joint talk with Chris Krebs, CISA Director at the time, on the formal collaboration between the agency and the non-profit, ICS Village. One of our biggest concerns for the future was ransomware. And unfortunately, we were right.

VIEW

Announcement

New!

February 18, 2021

SCYTHE v3.2 is Available!

We are excited to announce the release of SCYTHE version 3.2! This release brings a number of new features, many of which were specifically created out of feedback from our amazing customers!

VIEW

Blog Post

New!

February 17, 2021

The continuing pain of PowerShell

Microsoft’s PowerShell has long been used by system administrators, and in 2013 when Dave Kennedy and Josh Kelley gave the infamous talk: “PowerShell...omfg”, it was brought to the attention of many security professionals.

VIEW

Blog Post

New!

February 10, 2021

Our Founder and CEO Bryson Bort breaks down the Florida water treatment facility attack.

The attack on the water treatment facility located in Oldsmar, Florida, disclosed last week highlights security shortages in the water utility sector and the rest of the U.S. critical infrastructure sector.

VIEW

Blog Post

New!

February 4, 2021

Introduction to Adversary Emulation

What is adversary emulation? Adversary emulation leverages adversary tactics, techniques, and procedures, enhanced by cyber threat intelligence, to create a security test based on real world intrusion campaigns.

VIEW

Blog Post

New!

January 28, 2021

Red Team Non-Attributable Infrastructure and the Executive Order

The January 19, 2021 Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (mouthful) naturally started various debates and discussions around how this affects Red Team Non-Attributable Infrastructure.

VIEW

Blog Post

New!

January 20, 2021

Parsing an Executive Order: Streaming on Your TV Soon

The Executive Order’s proposed know your customer-style and information sharing regulations are more geared towards addressing intellectual property piracy than thwarting a SolarWinds style attack.

VIEW

Blog Post

New!

January 19, 2021

Why you should embrace Purple Team today

We are not introducing a new job role where you have to hire more people or have to spend more money. See, a purple team is a virtual, functional team that fosters collaboration and efficiency in testing, measuring, and improving your current cyber security people, process, and technology (security controls).

VIEW

#ThreatThursday

New!

January 14, 2021

#ThreatThursday - Egregor Ransomware with Sean Gallagher

Jorge Orchilles sits down with Sean Gallagher, a Senior Threat researcher at Sophos Labs. Sean walks us through understanding how this ransomware operates, creating an adversary emulation plan, and the best defense against a similar attack.

VIEW

#ThreatThursday

New!

January 14, 2021

#ThreatThursday - Egregor Ransomware

This week we will take a look at Egregor ransomware that has breached, exfiltrated data, and brought down multiple networks since September 2020. Stealing data before deploying ransomware has been a common modus operandi of the Egregor group.

VIEW

CISO Stressed

New!

January 8, 2021

Leveraging Resources When Chock Full of Challenges.

Elizabeth Wharton interviews Guest Mitch Parker, Exec. Dir./CISO at Indiana University Health. Healthcare security is present on all of our minds these days. The security and medical communities are working together towards the same goal: protecting the people. You may be wondering, what does that look like in today’s world?

VIEW

New!

January 7, 2021

10 Benefits of Red Team Engagements

We have all heard that, “practice makes perfect'', right? This may have been motivating during school, or while playing on a sports team, but what about today? By now, you’ve probably figured out that it’s impossible to be perfect, and that is perfectly fine (pun intended). In the information security field, all organizations are bound to experience a breach at some point.

VIEW

Blog Post

New!

December 30, 2020

Red Team and Threat-Led Penetration Testing Frameworks

We are presenting a curated list of all Red Team Frameworks in a central, easy to find location. Leveraging frameworks and methodologies for offensive security assessments is a best practice to show your customers and clients you have a repeatable, professional offering.

VIEW

Announcement

New!

December 22, 2020

SCYTHE Welcomes Megan Samford to Advisory Council

As SCYTHE looks boldly ahead into the new year, the Unicorns welcome the expertise of Megan Samford to the Advisory Council. Her accomplished security background, Master’s degree in Public Administration, and strong presence on numerous security boards are some of her many accomplishments in our community.

VIEW

Article

New!

December 16, 2020

No Rest for the Weary: Breaches are Inevitable

In the past week, we learned that both FireEye and SolarWinds were breached. These two breaches are significant because of the companies targeted and the service/products they sell to the industry. Both of these large companies being breached prove once again that anyone can be hacked.

VIEW

#ThreatThursday

New!

December 10, 2020

#ThreatThursday - FIN6 Phase 2

FIN6 is a cyber crime group that specializes in stealing payment card data and sells it in underground marketplaces. This group, also known as Skeleton Spider and ITG08, has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors since at least 2017.

VIEW

Article

New!

December 3, 2020

Attack Infrastructure: Red Teams vs. Malicious Actors

Setting up Attack Infrastructure is an important task performed by Red Teamers and malicious adversaries alike. This week, we chat with Joe Slowik, Senior Security Researcher at Domain Tools, about the differences between Red Team and malicious adversary set ups.

VIEW

#ThreatThursday

New!

November 20, 2020

#ThreatThursday - Berserk Bear

As usual for #ThreatThursday, we will understand Berserk Bear’s behavior, map to MITRE ATT&CK and share the ATT&CK Navigator JSON, create and share an adversary emulation plan in the largest, public adversary behavior repository, and discuss how to defend against this energy sector adversary.

VIEW

CISO Stressed

New!

November 10, 2020

Episode 3: Leveraging Resources When Chock Full of Challenges with Guest Mitch Parker

Healthcare is chock full of adventure - rising number patients, increase in malware attacks, and a shift towards remote work. On this episode of CISO STRESSED Liz sits down with Mitch Parker, Exec. Dir./CISO at Indiana University Health and talks about leveraging and maximizing resources and building trust to solve security challenges facing healthcare systems.

VIEW

#ThreatThursday

New!

November 5, 2020

#ThreatThursday - Ryuk

This week, we take a deeper dive into emulating and defending against the ransomware behind a recent spike in healthcare sector attacks - Ryuk Ransomware. Researchers estimate that Ryuk has been behind a third of the ransomware attacks detected in 2020, including the latest surge in hospital and healthcare IT system attacks.

VIEW

Blog Post

New!

October 28, 2020

Active Directory Attacks with Kerberoasting

Kerberoasting is now available in the SCYTHE Marketplace. In this post, Tim Medin explains how Kerberoasting works during Unicon and also releases a Kerberoast module in the SCYTHE Marketplace to enable SCYTHE operators to seamlessly Kerberoast from within SCYTHE.

VIEW

CISO Stressed

New!

October 27, 2020

Episode 2: Digital Empathy in the Customer Experience (Guest Shawn M Bowen)

Building security in the customer experience, not “compliance helmets” - Shawn Bowen, CISO with Restaurant Brands International, joins CISO Stressed Host Liz Wharton to discuss the value of experience-based learning, digital empathy, and the customer experience.

VIEW

#ThreatThursday

New!

October 22, 2020

#ThreatThursday - FIN6

Welcome to another week of #ThreatThursday! This week’s Threat Thursday is going to be slightly different from the standard as we discuss the FIN6 Adversary Emulation plan released by MITRE Engenuity’s Center for Threat-Informed Defense. We will focus on the importance of machine-readable Cyber Threat Intelligence at the adversary behavior and TTP level, sharing adversary emulation plans, and YAML-to-JSON conversion

VIEW

Blog Post

New!

October 16, 2020

SCYTHE Updates: Purple Team Programming

Meeting today's security challenges requires the Red Team and the Blue Team working together simultaneously - creating a Purple Team. Our CTO, Jorge Orchilles, has been leading the charge developing the standard for Purple Team program materials and trainings. Read more to engage, implement, and experience purple.

VIEW

#ThreatThursday

New!

October 15, 2020

#ThreatThursday - APT41

Welcome to another week of #ThreatThursday. This week we leverage an adversary emulation plan created and shared to the community by a third party: APT41 Emulation Plan. As usual, we will cover Cyber Threat Intelligence, create a threat actor profile, create an adversary emulation plan from the work done by Huy, share the plan in our Github, explain some of the new TTPs we will leverage, and discuss how to defend against APT41.

VIEW

CISO Stressed

New!

October 13, 2020

CISO Stressed Episode 1: Wendy Nather & Tyrone Wilson

Conversations stimulate ideas, solutions, and help us feel connected. In our inaugural episode of CISO Stressed guests Wendy Nather and Tyrone Wilson join Liz to discuss how to adjust to shifting work environments while still providing team members with hands-on training experiences, keeping motivated, and favorite ways to cap off the day.

VIEW

Blog Post

New!

October 9, 2020

FAQs - Getting Started in Ethical Hacking

How do I get started in ethical hacking, penetration testing, or red team? I get this question all the time from people with all sorts of goals. Whether you are getting into vulnerability management, wanting to find 0day vulnerabilities, to red teaming, to emulating adversaries against your organization to test, measure, and improve people, process, and technology, this FAQ is for you.

VIEW

#ThreatThursday

New!

October 8, 2020

#ThreatThursday - SlothfulMedia

On October 1, 2020, US-Cert published a Malware Analysis Report (MAR) in relation to a new malware they have seen in the wild called SlothfulMedia. The report suggests this is a “sophisticated cyber actor” but as you will see, it seems like a very typical Remote Access Trojan. As usual, we will review the Cyber Threat Intelligence, create an adversary emulation plan, demonstrate the emulation, and discuss how to defend against this threat.

VIEW

Blog Post

New!

October 2, 2020

Defend Our Healthcare

Hackers are targeting hospitals with increasingly sophisticated ransomware attacks putting patients at risk. Keeping up with what occurs in information security is a daily task for most practitioners. We have seen how ransomware has gone from an opportunistic, unsophisticated attack against end users to more sophisticated, targeted attacks against organizations.

VIEW

#ThreatThursday

New!

October 1, 2020

#ThreatThursday - MAZE

Welcome to another edition of #ThreatThursday. This week we are excited to kick off Cybersecurity Awareness Month looking at MAZE, a ransomware threat which emerged around May 2019, predominantly affecting organizations in the USA. MAZE, like other ransomware, also has an extortion component, where exfiltration of the original data also occurs in addition to the encryption/ransom component.

VIEW

#ThreatThursday

New!

September 17, 2020

#ThreatThursday - HoneyBee

Welcome to another edition of #ThreatThursday. This week we look at Honeybee, a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. This post coincides with a talk I gave at EkoParty on Adversary Emulation.

VIEW

#ThreatThursday

New!

September 10, 2020

#ThreatThursday - PowerShell

This week we will look at a MITRE sub-technique that deserves a #ThreatThursday of its own, PowerShell. As an interactive command-line interface and scripting environment included in all supported versions of the Windows operating system, many threat actors have some history of leveraging PowerShell. This sub-technique is an example of a TTP you cannot prevent in your environment; Microsoft includes PowerShell as part of the underlying operating system and it is virtually impossible to remove.

VIEW

#ThreatThursday

New!

September 3, 2020

#ThreatThursday - SpeakUp

This #ThreatThursday we are releasing our first macOS threat to the SCYTHE Community Threats GitHub. As more and more customers migrate to Apple products, we want to provide adversary emulation plans that work against macOS as well. SCYTHE has the ability to create campaigns for Windows, Linux, and macOS. This post will look at emulating a macOS threat known as SpeakUp.

VIEW

#ThreatThursday

New!

August 27, 2020

#ThreatThursday - Custom Threats

At SCYTHE, we spend a lot of time focusing on adversary emulation as it is an ideal method to maturing your red team engagements and purple team exercises for providing the most business value (see our Ethical Hacking Maturity Model). For this post, we want to cover custom threats. What if a new technique is not seen in the wild?

VIEW

Blog Post

New!

August 25, 2020

UniCon CTF - Know Your Payload

On August 20, 2020 we ran our first SCYTHE User Conference, UniCon, our very own unicorn conference. It was a day packed with amazing speakers, lightning talks, briefings, the release of the Marketplace, and a brand new Capture the Flag called “Know Your Payload”. This post will focus on the CTF which was created in collaboration between SCYTHE, the C2 Matrix, SANS, and CounterHack. The scoreboard was hosted by Netwars.

VIEW

Presentation

New!

August 10, 2020

Purple Team Exercise Framework (PTEF) Workshop

SCYTHE's Purple Team Exercise Workshop, introducing the newly released Purple Team Exercise FrameworK (PTEF), is now live and available in our library. Purple Team exercises provide an efficient and effective “hands-on-keyboard” adversary emulation method for Red and Blue Team collaboration.

VIEW

#ThreatThursday

New!

August 6, 2020

#ThreatThursday - Evil Corp

This blog post will dive deeper into the Garmin attack, extract TTPs from Cyber Threat Intelligence, create a MITRE ATT&CK Navigator Layer and adversary emulation plan, emulate the attack with Cobalt Strike (like Evil Corp used) and then drop a synthetic WastedLocker built with SCYTHE, and discuss how to defend against ransomware attacks with Olaf Hartong.

VIEW

Blog Post

New!

August 6, 2020

SCYTHE version 3.1 with MITRE ATT&CK Sub-Techniques

SCYTHE 3.1 is here and will be debuted at DEF CON Red Team Village on 8 AUG! With MITRE ATT&CK sub-techniques going live shortly after our major release of v3.0, we wanted to ensure that you are aligning to the latest and greatest framework in the cybersecurity industry across all of your SCYTHE Campaigns and Reports!

VIEW

Blog Post

New!

August 5, 2020

VECTR Integration

We are proud to announce that SCYTHE campaigns can be imported into VECTR! VECTR is a free platform for planning and tracking your Red Team engagements and Purple Team Exercises by aligning to Blue Team detection and prevention capabilities across different attack scenarios. Many SCYTHE customers leverage VECTR to show the value of the overall Red and Purple Team programs and will now be able to import entire SCYTHE campaigns with just a few clicks. First, make sure to upgrade VECTR to the latest version.

VIEW

Blog Post

New!

August 4, 2020

Virtual Hacker Summer Camp 2020

It's that time of the year again, Hacker Summer Camp! The SCYTHE team has a busy week scheduled as we love to give back to the community. We are giving talks, panels, workshops, releasing tools, and even have two Choose Your Own Adventure games for Red and Blue Teams. Here’s a quick guide to where you can find us virtually over the next few days during Black Hat USA and Def Con Safe Mode.

VIEW

Blog Post

New!

July 31, 2020

Porting Tools to SCYTHE: An SDK Proof of Concept

With the release of the SCYTHE Software Development Kit (SDK), we released two new and important components to help make the development of SCYTHE modules frictionless for third party developers: the Module Buster application and the Python3 runtime. We feel that one of the best ways for us to demonstrate how easy it is to create a new SCYTHE module is to demonstrate how we ported an open source tool, written in Python, to SCYTHE.

VIEW

#ThreatThursday

New!

July 30, 2020

#ThreatThursday - Emotet

On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint wrote, emotet returns after a 5 month hiatus. Emotet is a banking trojan that gains access to end user machines and steals their financial information such as login information and personal identifiable information (PII). This week, we met with Sherrod and discussed Emotet. As usual, we create an adversary emulation plan based on Cyber Threat Intelligence and then emulate it with SCYTHE.

VIEW

Blog Post

New!

July 29, 2020

SCYTHE’s Ethical Hacking Maturity Model

SCYTHE’s Ethical Hacking Maturity Model enables leading organizations to assess and strengthen their security posture through ethical hacking. There are a number of assessment types an ethical hacker can perform against an organization and this document goes through the process. Enterprises can use SCYTHE’s Ethical Hacking Maturity Model to evolve to the more advanced assessments and operationalize Adversary Emulations via Red Team Engagements and Purple Team Exercises.

VIEW

Blog Post

New!

July 24, 2020

Announcing UniCon

UniCon, our very own Unicorn Conference, is a free conference for security researchers, developers, red teamers, blue teamers, and purple teamers taking place on August 20! We will have two excellent keynotes from Olaf Hartong and John Strand, the release of the SCYTHE Marketplace with custom modules, introduction and AMA with our platform engineers to ask all the technical questions about C2 and synthetic malware, lighting talks with researchers and module developers, great talks, and a brand new CTF.

VIEW

#ThreatThursday

New!

July 23, 2020

#ThreatThursday - Deep Panda

This week we interviewed Bradford Regeski, a Cyber Threat Intelligence analyst at H-ISAC, about the top threats the healthcare industry is seeing. He shared a number of excellent resources on threat actors, told us a little more about H-ISAC, and dove deeper into Deep Panda.

VIEW

#ThreatThursday

New!

July 16, 2020

#ThreatThursday - Orangeworm

This week on #ThreatThursday we cover the latest release of MITRE ATT&CK (with sub-techniques), announce a healthcare partnership, and look at a threat actor that has been targeting the healthcare sector for years: Orangeworm. As usual, we consume Cyber Threat Intelligence, create a threat profile and adversary emulation plan, and discuss how to defend against Orangeworm.

VIEW

Blog Post

New!

July 13, 2020

Splunk Integration

Enterprise-grade platforms have to integrate with other enterprise solutions in order to be effective. SCYTHE focuses on providing business value through adversary emulation and showing whether security tools and controls are properly implemented and tuned to detect malicious behavior. To implement an enterprise solution, SCYTHE integrates with other solutions such as Splunk, PlexTrac, VECTR, and virtually any solution or SIEM via syslog.

VIEW

Blog Post

New!

July 10, 2020

Breaching Terms of Service Doesn’t Breach the CFAA: Protect Independent Security Research

Advances in securing medical devices, vehicle systems, and any of the other systems and connected devices used daily would not be possible without independent researchers testing and auditing those in novel and often unanticipated manners from that intended by the computer/website/app owners.

VIEW

#ThreatThursday

New!

July 9, 2020

#ThreatThursday - Managing Threats

Welcome to another edition of #ThreatThursday! We now have a section on this blog exclusively for #ThreatThursday so that you may efficiently find the resources for CTI analysis, threat emulation, and remediation in one location every week: https://www.scythe.io/threatthursday Feel free to bookmark or subscribe to the RSS feed.

VIEW

Blog Post

New!

July 8, 2020

Under the Hood: SCYTHE Architectural Overview (Part 1)

Hey, this is Ateeq Sharfuddin, head of the engineering team at SCYTHE. Our team has spent the better part of the past year developing significant improvements for version 3 of the SCYTHE platform. As the threat landscape, including adversary tactics, techniques, and procedures (TTPs), constantly evolves, developing an adversary emulation platform must be similarly agile and updated.

VIEW

Blog Post

New!

July 7, 2020

SCYTHE 3.0 is here!

The SCYTHE team has been busy working on version 3.0, our latest release. This release brings major improvements, including support for in-memory third-party Python Modules built using the SCYTHE Software Development Kit (SDK), and will lead up to the launch of the SCYTHE Marketplace.

VIEW

Blog Post

New!

July 6, 2020

Software Development Kit

As the leading platform for Purple Teaming, SCYTHE is proud to release version 3.0 and the new SCYTHE Software Development Kit! SCYTHE now offers an in-memory Python interpreter so developers can write modules entirely in Python. Operators will be thrilled to hear that the runtime and modules operate entirely in-memory without touching the disk. The Software Development Kit (SDK) gives developers a seamless module creation and validation experience.

VIEW

#ThreatThursday

New!

July 2, 2020

#ThreatThursday - Ransomware

A day hardly goes by without hearing about another ransomware attack. Just this week I read, on SANS NewsBites, that University of California San Francisco (UCSF) paid $1.1 million to regain access to their data. This week’s #ThreatThursday we take a look at a ransomware example, learn how criminals are evolving to get paid, create an adversary emulation plan that is safe but valuable for enterprises, and speak to industry thought leader, Olaf Hartong, about defending against ransomware attacks using Sysmon.

VIEW

Presentation

New!

June 28, 2020

Cuddling the Cozy Bear, Emulating APT29 by Jorge Orchilles - Cyber Junegle

In this talk, we will learn about APT29 “Cozy Bear”, how they operate and what their objectives are. We will create an adversary emulation plan using C2 Matrix to pick the best command and control framework that covers the most TTPs. We will spend at least half the talk live demoing the attack with various tools that emulate the adversary behaviors and TTPs.

VIEW

#ThreatThursday

New!

June 25, 2020

#ThreatThursday - Cozy Bear

This week on #ThreatThursday we look at Cozy Bear, or APT29, a Russian government threat group that has been operating since at least 2008. This group is most famous because of the attribution to the Democratic National Committee hack in the summer of 2015.

VIEW

#ThreatThursday

New!

June 18, 2020

#ThreatThursday - APT33

This week on #ThreatThursday we look at an Iranian Threat Actor, APT33 or Elfin. We introduce the MITRE ATT&CK Beta with sub-techniques, create and share an adversary emulation plan for APT33 on Github, show how to execute PowerShell (both powershell.exe and unmanaged PowerShell) through SCYTHE and show how to perform lateral movement within the SCYTHE user interface as well as on the command line.

VIEW

Presentation

New!

June 12, 2020

SCYTHE Demo with Jorge Orchilles

Jorge Orchilles covered a number of topics and did live demos of some of the features coming in SCYTHE version 3.0 including the virtual file system, third party modules, and the SCYTHE Marketplace.

VIEW

#ThreatThursday

New!

June 11, 2020

#ThreatThursday - Buhtrap

In this #ThreatThursday we will be looking at Buhtrap, a criminal team attacking financial institutions. We are presenting new concepts this week such as consuming Cyber Threat Intelligence that has not been mapped or tracked on MITRE ATT&CK website and explaining the concept of Short and Long Haul C2.

VIEW

Video

New!

June 9, 2020

SCYTHE version 3.0 is coming soon!

Take a look at how easy SCYTHE 3.0 is to install and go through the basic setup on the first run.

VIEW

#ThreatThursday

New!

June 4, 2020

#ThreatThursday - APT19

Adversarial Emulation is a threat intelligence driven process. Leveraging threat intelligence is required for more effective defense (Blue Team) and offense (Red Team). We must understand how threats operate and their behaviors (tactics, techniques, and procedures) to stay ahead of them and prevent or detect when they attack our organization. For these reasons, we want to share our vision for being threat-led with our readers and introduce #ThreatThursday.

VIEW

Presentation

New!

June 3, 2020

SCYTHE & PlexTrac Present: Dealin' With The Data

Join Security Weekly's Tyler Robinson, SCYTHE's Adam Mashinchi, and PlexTrac's Dan DeCloss for a discussion on how to "Deal With The Data". The discussion opens with Tyler outlining common headaches that red teamers must deal with at their jobs.

VIEW

Blog Post

New!

June 1, 2020

SCYTHE Welcomes Jorge Orchilles as Chief Technology Officer

SCYTHE is thrilled to welcome a new unicorn to the executive team: Jorge Orchilles is now the Chief Technology Officer for SCYTHE.

VIEW

let our tech speak for itself

Know where you stand with SCYTHE. Talk to us to start the evaluation process today! We’d love to talk to you about how SCYTHE can fit into your cybersecurity workflow.

LEARN MORE