If you follow SCYTHE’s Threat Thursday posts and utilize SCYTHE’s Community Threats Github Repository, you are probably familiar with the VFS (Virtual File System) folders used with some of the Community Threats.
As of August 2021, there are 10 Threats that include a VFS folder.
In this blog, I will talk about the purpose of the Virtual File System and show an example of how to set up a VFS folder from one of our Community Threats. The example presumes that the SCYTHE Community Threat files have been downloaded to the SCYTHE server.
What is the purpose of the Virtual File System in SCYTHE?
Think of the Virtual File System (VFS) as a shared file drive. This is where the files utilized in SCYTHE’s Community Threats are stored. The SCYTHE Community Threats VFS files need to be imported into the SCYTHE Virtual File System. The Virtual File System can also act as central storage for scripts and other files that may be used in your custom created threats.
How does the Virtual File System work with the SCYTHE Community Threats Campaigns?
For this example, I will use SCYTHE’s DarkSide threat.
The DarkSide Community Threat contains a VFS folder. The files within this folder need to be imported into the SCYTHE Virtual File System.
Log into the SCYTHE UI
1.In the navigation pane, select Virtual File System.
2. Click VFS (VFS:/ users / BUILTIN / scythe /)
3. Double click the Shared folder
4. In the Shared folder, click the New Folder button. Name the folder DarkSide
5. From within the VFS DarkSide folder, select Upload and import the files contained in the DarkSide VFS Community Threat folder.
6. Do the same with all Community Threats that contain a VFS file.
Why are the VFS folder names and location important?
The README.md specifies the name of the VFS folders. This is important because the campaign steps look for the specific folder names. Review each Community Threat’s README.md and name the VFS folder appropriately.
In the SCYTHE UI:
- Click Threat Catalog> Darkside.
- Scroll down to Step 20. In that step, the file path references the VFS:/shared/DarkSide/README.txt
If the README.txt file is not in that specific VFS folder, the campaign will not proceed to the next step and will stall.
When running a SCYTHE Community Threat Campaign, if the campaign stalls, the first troubleshooting step is to check the VFS folder. Is it in the right place (VFS:shared/<Folder_Name>)? Are the VFS files uploaded to the correct folder?
If not, correct the VFS folder/file name and/or location then rerun the campaign.
Referencing a file in the Virtual File System for custom threats
When building the steps to a custom threat, if scripts or other files are required to run the step can be placed in the VFS. The folders should be created and files stored in the VFS:shared folder so all users can run the campaigns.
The step that includes the VFS files must reference the specific file path or it will not work.
About the Author
Elaine Harrison-Neukirch has over 10 years of experience in cyber security working in the healthcare and financial services industries. She currently runs the customer support program at SCYTHE. Elaine loves giving back to the community, volunteers for the Cyber Security Non Profit (CSNP.org) and has written several blogs for them. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity and Women’s Society of Cyberjutsu. Elaine has multiple certifications including CEH, Security + and Cyberops CCNA.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.