Blue Teamers, have you been looking for an automated method of discovery for ports that are allowed in outbound, North/ South (egress) traffic within your network? Your search is over! SCYTHE’s Marketplace offers a free module, Let Me Out (LMO), a SCYTHE port of mubix’s Let Me Out project. This module tests egress traffic for specific ports.
Our friends at MITRE ATT&CK define Exfiltration Over Alternate Protocol (T1048) as stealing data by exfiltrating over different means than the existing command and control (C2) channel. This can include built in operating system utilities that utilize various protocols and ports like SMB, FTP and SMTP.
In this blog, I will describe the steps required to build a campaign using SCYTHE’s Marketplace module, LMO. Knowledge of what egress traffic is allowed through a network’s security layers will help Blue Teamers close the gaps in their egress security controls. The LMO Module also gives Blue Teamers visibility into what could be human error.
For example, policy mandates that FTP traffic on ports 20 and 21 are supposed to be blocked for all outgoing traffic. However, a firewall admin mistakenly opens these ports when creating an ACL. Change management does not catch the mistake.
Running the LMO campaign on a schedule ensures that these errors can be quickly identified and corrected.
If you do not have a marketplace account, submit a SCYTHE support request. The SCYTHE support team will create a Marketplace account for you.
SCYTHE is so intuitive that even a new user can easily and quickly set up the LMO campaign.
Parsing this information through the SCYTHE interface is one of several ways to act on the data. SCYTHE’s integration with Splunk, Syslog, or leveraging the SCYTHE API allows customers to ingest the data into other platforms with little effort!
Run the same campaign multiple times by executing the same payload across unlimited end hosts or to test new firewall rules. If the parameters change or you want to test different ports, a new campaign will need to be created.
We have added the compound action titled T1048-Exfiltration Over Alternative Protocol for your use. This compound action tests FTP ports 20, 21. It can be customized to test any ports.
SCYTHE has been touted as an adversary emulation tool however there are many campaigns that can be configured and run from a Blue Team network controls perspective. As demonstrated, the LMO module is one way to use SCYTHE as a Blue Team tool. Increased visibility for the Blue team leads to increased protection of the organization’s assets.
Elaine Harrison-Neukirch has over 10 years of experience in cyber security working in the healthcare and financial services industries. She currently runs the customer support program at SCYTHE. Elaine loves giving back to the community, volunteers for the Cyber Security Non Profit (CSNP.org) and has written several blogs for them. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity and Women’s Society of Cyberjutsu. Elaine has multiple certifications including CEH, Security + and Cyberops CCNA.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.