December 8, 2022

Qakbot Reloaded

Qakbot is making the rounds once again, expanding its service as malware used by Initial Access Brokers (IAB). After a takedown attempt on Emotet and a recent pause of its operation, Qakbot and Bokbot/IceID have dominated the field as IABs. Qakbot, also known as QBot was a banking trojan at its inception but due to its modular design can be quite versatile. An important call out here is that recent cyber threat intelligence reveals Qakbot threat actors have modified their tactics, techniques, and procedures. This is precisely why we have created this new emulation.

December 1, 2022

Black Basta IOCs

Black Basta is making the news once again as our friends at SentinelLabs released new research tying the operator’s latest activity to the Russian-linked FIN7. Despite being a relatively new player in the ransomware arena, Black Basta quickly gained credibility given their novel tools and techniques.

November 17, 2022

CloudFox

This month’s emulation takes a break from our traditional adversary emulation campaigns and instead features use of BishopFox’s cloud enumeration tool CloudFox. A common question we hear from SCYTHE customers is “how do we use SCYTHE to audit the security of our cloud resources?” Some clarification is needed since SCYTHE is an adversary emulation platform focusing on post-exploitation and this question implies a different use-case.

October 20, 2022

Threat Emulation: Black Basta

Black Basta is back on the radar again this fall after a rise in Qakbot malware distribution was observed. Qakbot is a common initial entry and lateral movement tool used by the Black Basta ransomware group. Black Basta is cross platform, affecting both Windows and Linux operating systems.

September 29, 2022

Threat Emulation: Yanluowang

The Yanluowang ransomware group has been around since at least late 2021, but many people had never heard their name prior to their involvement in the Cisco incident in August 2022. SCYTHE posting this threat in no way should be construed as victim blaming. On the contrary, there is sufficient data in the public domain to discuss at least in part because of the great work by Talos. 

August 25, 2022

Threat Emulation: GootLoader

Welcome to the August 2022 SCYTHE #ThreatThursday! This edition features a GootLoader emulation based on the write-up from our friends at The DFIR Report.

July 28, 2022

Threat Emulation: Qakbot

Welcome to the July 2022 SCYTHE #ThreatThursday! This edition features an emulation of Qakbot, a piece of malware that is no stranger to the threat intel community.

June 30, 2022

Windows Telemetry Persistence

June’s Threat Thursday will focus on a unique persistence method that is not widely used by threat actors, but works all the way through at least Windows 11 21H2. In 2020 a few researchers from TrustedSec outlined a unique method of persistence that leverages Windows Telemetry.

May 26, 2022

Threat Emulation: Industroyer2 Operation

Welcome to the May 2022 SCYTHE #ThreatThursday! This month we are featuring the recent Industroyer2 operation observed in Ukraine with a new campaign. Per the reporting from ESET, the Sandworm threat actor group was most likely responsible for deploying the Industroyer2 malware.

April 28, 2022

Operationalizing Red Canary's 2022 Threat Detection Report

March 31, 2022

#ThreatThursday FIN13

Welcome to our March 2022 SCYTHE #ThreatThursday! This month we will do a deep dive on the threat actor FIN13 who has been tracked by Mandiant since 2017 and is known to target Mexican organizations. We will examine the phases of their attacks, and extract TTPs from Mandiant’s report to build a SCYTHE Campaign that emulates their post-breach behavior.

February 24, 2022

Threat Actor APT35

Welcome to the February 2022 SCYTHE #ThreatThursday! This edition covers some recent intelligence from Check Point Research on post access tools and procedures leveraged by APT35. In addition, we recommend reviewing Check Point’s excellent write-up to complement our post if you have the time.

January 27, 2022

Adversary Emulation Diavol Ransomware #ThreatThursday

We have created our most elaborate automated threat, emulating a real Diavol ransomware attack, in a 5-stage attack

January 27, 2022

Emulación de Adversarios Diavol Ransomware

Hemos creado nuestra amenaza automatizada más elaborada, emulando un ataque real del ransomware Diavol, en un ataque de 5 etapas.

December 16, 2021

#ThreatThursday - UNC2452

Ben Finke from OnDefend will go through our typical #ThreatThursday format to introduce the threat actor, UNC2452, ingest Cyber Threat Intelligence, build an adversary emulation plan, and discuss detection and response.

November 30, 2021

Threat Thursday - Red Canary October Detection Opportunities

Our new Adversary Emulation Detection Engineer, Christopher Peacock, shares this #ThreatThursday where he dived into Red Canary’s new blog and reviewed the methods they used in order to develop emulation plans to validate the detection opportunities in your environment.

October 21, 2021

Threat Thursday - NetWire RAT

Christopher Peacock, the newest Unicorn to join the herd as an Adversary Emulation - Detection Engineer shares his first #ThreatThursday, covering the recent NetWire RAT report from BlackBerry’s ThreatVector Blog. It focuses on the emulation and detection opportunities of the threat in order to help organizations measure and defend against the threat’s behaviors.

September 9, 2021

ThreatThursday - Phobos Ransomware

As usual, we will consume Cyber Threat Intelligence and map it to MITRE ATT&CK. We will create an adversary emulation plan, share it on our Community Threats Github, and we will show how to Attack, Detect, and Respond to Phobos attacks.

September 2, 2021

Threat Thursday - Hive Ransomware

The FBI released a Flash Alert on August 25, 2021 warning organizations about the Hive ransomware that has affected at least 28 organizations including Memorial Health. As usual for #ThreatThursday, we will consume the Cyber Threat Intelligence and map it to MITRE ATT&CK, we create and share an adversary emulation plan on the SCYTHE GitHub, and discuss ways to prevent, detect, and respond to this threat. 

July 8, 2021

Threat Thursday - Exfiltration Over Web Service: Exfiltration to Cloud Storage

This #ThreatThursday is all about leveraging cloud storage to exfiltrate data. We also cover a tool that leaves credentials unsecured on the file system. In particular, we are going to look at how threat actors leverage cloud services like MEGA and use open source tools like rclone to exfiltrate data.

June 24, 2021

Threat Thursday Top Ransomware TTPs

At SCYTHE we are constantly collaborating with industry experts and organizations. Recently, someone reached out as they are building out a ransomware readiness assessment. “We are looking for a consolidated mapping of major ransomware actors on the ATT&CK framework, like SCYTHE does for individual actors on #ThreatThursday.

June 17, 2021

Threat Thursday - Evading Defenses with ISO files like NOBELIUM

Microsoft released a blog post late on Thursday May 27, 2021 about a new sophisticated email-based attack from NOBELIUM, the SolarWinds threat actor, where they compromised Constant Contact to send malicious emails with a weaponized ISO file.For this post, we look at the recent attack from NOBELIUM and show how to emulate these techniques with SCYTHE. We also committed an atomic test to the Atomic Red Team project.

May 27, 2021

Threat Thursday - Conti Ransomware

For this #ThreatThursday we are looking at one of the most common ransomware threat actors, Conti. We are leveraging Cyber Threat Intelligence from a new partner, TrukNo, that provides adversary behavior all the way down to the procedure level, facilitating the creation of adversary emulation plans so that you can test against these behaviors in your production environment more efficiently.

May 10, 2021

#ThreatThursday - DarkSide Ransomware

In this blog we consume Cyber Threat Intelligence to understand how the DarkSide ransomware behaves, we create and share an adversary emulation plan so you can quickly test, measure, and improve your people, process, and technology for similar attacks, and we discuss how to detect and respond to DarkSide ransomware.

April 29, 2021

Florida Water Plant Breach

TeamViewer was at the forefront of an attack on a Florida water facility in February 2021. A malicious actor logged into the water treatment facility’s computer system through the remote desktop software and tried to increase the amount of sodium hydroxide to a dangerous level.

March 25, 2021

Threat Thursday - Lazarus

The Lazarus Group (aka HIDDEN COBRA/Guardians of Peace/ZINC/NICKEL ACADEMY)! Lazarus was an extremely active adversary in 2020 and has continued to build capability over the past decade. They are responsible for many high profile hacks seen over the years, such as the Sony hack in 2014. Lazarus Group has been attributed as a North Korean state sponsored hacking group by the FBI.

February 25, 2021

#ThreatThursday - menuPass with special guest Shane Patterson

For this #ThreatThursday is menuPass! Tim Schulz caught up with Shane Patterson to discuss MITRE Engenuity's plan release, challenges in creating emulation plans, and what makes this threat unique!

February 25, 2021

#ThreatThursday - menuPass

For this Threat Thursday we are going to look at menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium/Cloud Hopper), a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.

January 14, 2021

#ThreatThursday - Egregor Ransomware with Sean Gallagher

Jorge Orchilles sits down with Sean Gallagher, a Senior Threat researcher at Sophos Labs. Sean walks us through understanding how this ransomware operates, creating an adversary emulation plan, and the best defense against a similar attack.

January 14, 2021

#ThreatThursday - Egregor Ransomware

This week we will take a look at Egregor ransomware that has breached, exfiltrated data, and brought down multiple networks since September 2020. Stealing data before deploying ransomware has been a common modus operandi of the Egregor group.

December 10, 2020

#ThreatThursday - FIN6 Phase 2

FIN6 is a cyber crime group that specializes in stealing payment card data and sells it in underground marketplaces. This group, also known as Skeleton Spider and ITG08, has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors since at least 2017.

November 20, 2020

#ThreatThursday - Berserk Bear

As usual for #ThreatThursday, we will understand Berserk Bear’s behavior, map to MITRE ATT&CK and share the ATT&CK Navigator JSON, create and share an adversary emulation plan in the largest, public adversary behavior repository, and discuss how to defend against this energy sector adversary.

November 5, 2020

#ThreatThursday - Ryuk

This week, we take a deeper dive into emulating and defending against the ransomware behind a recent spike in healthcare sector attacks - Ryuk Ransomware. Researchers estimate that Ryuk has been behind a third of the ransomware attacks detected in 2020, including the latest surge in hospital and healthcare IT system attacks.

October 22, 2020

#ThreatThursday - FIN6

Welcome to another week of #ThreatThursday! This week’s Threat Thursday is going to be slightly different from the standard as we discuss the FIN6 Adversary Emulation plan released by MITRE Engenuity’s Center for Threat-Informed Defense. We will focus on the importance of machine-readable Cyber Threat Intelligence at the adversary behavior and TTP level, sharing adversary emulation plans, and YAML-to-JSON conversion

October 15, 2020

#ThreatThursday - APT41

Welcome to another week of #ThreatThursday. This week we leverage an adversary emulation plan created and shared to the community by a third party: APT41 Emulation Plan. As usual, we will cover Cyber Threat Intelligence, create a threat actor profile, create an adversary emulation plan from the work done by Huy, share the plan in our Github, explain some of the new TTPs we will leverage, and discuss how to defend against APT41.

October 8, 2020

#ThreatThursday - SlothfulMedia

On October 1, 2020, US-Cert published a Malware Analysis Report (MAR) in relation to a new malware they have seen in the wild called SlothfulMedia. The report suggests this is a “sophisticated cyber actor” but as you will see, it seems like a very typical Remote Access Trojan. As usual, we will review the Cyber Threat Intelligence, create an adversary emulation plan, demonstrate the emulation, and discuss how to defend against this threat.

October 1, 2020

#ThreatThursday - MAZE

Welcome to another edition of #ThreatThursday. This week we are excited to kick off Cybersecurity Awareness Month looking at MAZE, a ransomware threat which emerged around May 2019, predominantly affecting organizations in the USA. MAZE, like other ransomware, also has an extortion component, where exfiltration of the original data also occurs in addition to the encryption/ransom component.

September 17, 2020

#ThreatThursday - HoneyBee

Welcome to another edition of #ThreatThursday. This week we look at Honeybee, a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. This post coincides with a talk I gave at EkoParty on Adversary Emulation.

September 10, 2020

#ThreatThursday - PowerShell

This week we will look at a MITRE sub-technique that deserves a #ThreatThursday of its own, PowerShell. As an interactive command-line interface and scripting environment included in all supported versions of the Windows operating system, many threat actors have some history of leveraging PowerShell. This sub-technique is an example of a TTP you cannot prevent in your environment; Microsoft includes PowerShell as part of the underlying operating system and it is virtually impossible to remove.

September 3, 2020

#ThreatThursday - SpeakUp

This #ThreatThursday we are releasing our first macOS threat to the SCYTHE Community Threats GitHub. As more and more customers migrate to Apple products, we want to provide adversary emulation plans that work against macOS as well. SCYTHE has the ability to create campaigns for Windows, Linux, and macOS. This post will look at emulating a macOS threat known as SpeakUp.

August 27, 2020

#ThreatThursday - Custom Threats

At SCYTHE, we spend a lot of time focusing on adversary emulation as it is an ideal method to maturing your red team engagements and purple team exercises for providing the most business value (see our Ethical Hacking Maturity Model). For this post, we want to cover custom threats. What if a new technique is not seen in the wild?

August 6, 2020

#ThreatThursday - Evil Corp

This blog post will dive deeper into the Garmin attack, extract TTPs from Cyber Threat Intelligence, create a MITRE ATT&CK Navigator Layer and adversary emulation plan, emulate the attack with Cobalt Strike (like Evil Corp used) and then drop a synthetic WastedLocker built with SCYTHE, and discuss how to defend against ransomware attacks with Olaf Hartong.

July 30, 2020

#ThreatThursday - Emotet

On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint wrote, emotet returns after a 5 month hiatus. Emotet is a banking trojan that gains access to end user machines and steals their financial information such as login information and personal identifiable information (PII). This week, we met with Sherrod and discussed Emotet. As usual, we create an adversary emulation plan based on Cyber Threat Intelligence and then emulate it with SCYTHE.

July 23, 2020

#ThreatThursday - Deep Panda

This week we interviewed Bradford Regeski, a Cyber Threat Intelligence analyst at H-ISAC, about the top threats the healthcare industry is seeing. He shared a number of excellent resources on threat actors, told us a little more about H-ISAC, and dove deeper into Deep Panda.

July 16, 2020

#ThreatThursday - Orangeworm

This week on #ThreatThursday we cover the latest release of MITRE ATT&CK (with sub-techniques), announce a healthcare partnership, and look at a threat actor that has been targeting the healthcare sector for years: Orangeworm. As usual, we consume Cyber Threat Intelligence, create a threat profile and adversary emulation plan, and discuss how to defend against Orangeworm.

July 9, 2020

#ThreatThursday - Managing Threats

Welcome to another edition of #ThreatThursday! We now have a section on this blog exclusively for #ThreatThursday so that you may efficiently find the resources for CTI analysis, threat emulation, and remediation in one location every week: https://www.scythe.io/threatthursday Feel free to bookmark or subscribe to the RSS feed.

July 2, 2020

#ThreatThursday - Ransomware

A day hardly goes by without hearing about another ransomware attack. Just this week I read, on SANS NewsBites, that University of California San Francisco (UCSF) paid $1.1 million to regain access to their data. This week’s #ThreatThursday we take a look at a ransomware example, learn how criminals are evolving to get paid, create an adversary emulation plan that is safe but valuable for enterprises, and speak to industry thought leader, Olaf Hartong, about defending against ransomware attacks using Sysmon.

June 25, 2020

#ThreatThursday - Cozy Bear

This week on #ThreatThursday we look at Cozy Bear, or APT29, a Russian government threat group that has been operating since at least 2008. This group is most famous because of the attribution to the Democratic National Committee hack in the summer of 2015.

June 18, 2020

#ThreatThursday - APT33

This week on #ThreatThursday we look at an Iranian Threat Actor, APT33 or Elfin. We introduce the MITRE ATT&CK Beta with sub-techniques, create and share an adversary emulation plan for APT33 on Github, show how to execute PowerShell (both powershell.exe and unmanaged PowerShell) through SCYTHE and show how to perform lateral movement within the SCYTHE user interface as well as on the command line.

June 11, 2020

#ThreatThursday - Buhtrap

In this #ThreatThursday we will be looking at Buhtrap, a criminal team attacking financial institutions. We are presenting new concepts this week such as consuming Cyber Threat Intelligence that has not been mapped or tracked on MITRE ATT&CK website and explaining the concept of Short and Long Haul C2.

June 4, 2020

#ThreatThursday - APT19

Adversarial Emulation is a threat intelligence driven process. Leveraging threat intelligence is required for more effective defense (Blue Team) and offense (Red Team). We must understand how threats operate and their behaviors (tactics, techniques, and procedures) to stay ahead of them and prevent or detect when they attack our organization. For these reasons, we want to share our vision for being threat-led with our readers and introduce #ThreatThursday.