Unicorn Library

SCYTHE Library: Exfiltration Over Alternative Protocol

Written by Elaine Harrison-Neukirch | Jul 15, 2021 4:00:00 AM

Blue Teamers, have you been looking for an automated method of discovery for ports that are allowed in outbound, North/ South (egress) traffic within your network? Your search is over! SCYTHE’s Marketplace offers a free module, Let Me Out (LMO), a SCYTHE port of mubix’s Let Me Out project. This module tests egress traffic for specific ports.

Our friends at MITRE ATT&CK define Exfiltration Over Alternate Protocol (T1048) as stealing data by exfiltrating over different means than the existing command and control (C2) channel. This can include built in operating system utilities that utilize various protocols and ports like SMB, FTP and SMTP.

In this blog, I will describe the steps required to build a campaign using SCYTHE’s Marketplace module, LMO. Knowledge of what egress traffic is allowed through a network’s security layers will help Blue Teamers close the gaps in their egress security controls. The LMO Module also gives Blue Teamers visibility into what could be human error.  

For example, policy mandates that FTP traffic on ports 20 and 21 are supposed to be blocked for all outgoing traffic. However, a firewall admin mistakenly opens these ports when creating an ACL. Change management does not catch the mistake.  

Running the LMO campaign on a schedule ensures that these errors can be quickly identified and corrected. 

Download and install the LMO module from the SCYTHE Marketplace

If you do not have a marketplace account, submit a SCYTHE support request. The SCYTHE support team will create a Marketplace account for you.

1) Log into SCYTHE’s Marketplace and locate the LMO app.
2) Click the Install button, read and agree to the End User License Agreement and click the Install Now button. The app is now installed on your Marketplace account.
3) Click the Download button which downloads the .arca file that will be imported into the SCYTHE instance. 

Import the LMO Module into SCYTHE

1) In the SCYTHE UI, go to Administration> Modules
2) Click Choose File, select the .arca file.
3) Click the Install button
4) The installed module will show in the list.

Setup the LMO campaign

SCYTHE is so intuitive that even a new user can easily and quickly set up the LMO campaign. 

1) Select New Campaign
2) Name the campaign
3) Scroll to the bottom and click Next
4) On the Automate Campaign page, select Python 3 under Load a Runtime (LMO requires the Python 3 runtime).
5) Under Actions> Load a Module, scroll down and select the SCYTHE LMO module.
6) Scroll to Execute an Action, select Custom Action
7) Click the SCYTHE LMO, in the Action section, customize the command for the ports that will be egress tested. Click the Add button.
Scythe_testing.scythe_lmo --port [20,21]
8) The campaign is ready to run. 
9) Execute the campaign payload, using either the executable or DLL.
10) In the Campaign Status window, click on the host device to see the campaign running in real time.
11) Once the campaign has completed, click the scythe_testing.scythe_lmo link to see the responses. Allowed egress traffic shows a response of w00tw00t. Blocked traffic shows a response of failed to connect

Parsing this information through the SCYTHE interface is one of several ways to act on the data. SCYTHE’s integration with Splunk, Syslog, or leveraging the SCYTHE API allows customers to ingest the data into other platforms with little effort!

Run the same campaign multiple times by executing the same payload across unlimited end hosts or to test new firewall rules. If the parameters change or you want to test different ports, a new campaign will need to be created. 

SCYTHE Community Threats Github Repository

We have added the compound action titled T1048-Exfiltration Over Alternative Protocol for your use. This compound action tests FTP ports 20, 21. It can be customized to test any ports. 

Empowering the Blue Team

SCYTHE has been touted as an adversary emulation tool however there are many campaigns that can be configured and run from a Blue Team network controls perspective. As demonstrated, the LMO module is one way to use SCYTHE as a Blue Team tool. Increased visibility for  the Blue team leads to increased protection of the organization’s assets. 

About the Author

Elaine Harrison-Neukirch has over 10 years of experience in cyber security working in the healthcare and financial services industries. She currently runs the customer support program at SCYTHE. Elaine loves giving back to the community, volunteers for the Cyber Security Non Profit (CSNP.org) and has written several blogs for them. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity and Women’s Society of Cyberjutsu. Elaine has multiple certifications including CEH, Security + and Cyberops CCNA.


About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.