Threat Thursday: April

This month's Threat Thursday delves into WinSxS Sideloading, which emulates actions taken by threat actors, the M365 SharePoint Document Spray threat, and Volt Typhoon, which poses a severe threat to critical infrastructure.

New Threat Releases


WinSxS Sideloading

This threat emulates actions taken by Threat Actors sideloading a malicious payload into a digitally signed Microsoft product. Want to see this threat in action?  Tyler, Trey, and Jake run through it live on this week's Threat Thursday livestream. Check it out. 

M365 SharePoint Document Spray

This threat enumerates available SharePoint sites with a default Document Library (“Documents”) and uploads a malicious document to each site. It emulates the actions that might be taken by a threat actor that gains privileged access to an Microsoft 365 environment. In this specific case, we've simulated the threat actor gaining access to a system that runs PowerShell Graph APIs and can write files to SharePoint sites in an unattended mode.

Volt Typhoon

Volt Typhoon

Volt Typhoon, a state-sponsored cyber group from China, poses a severe threat to critical infrastructure, targeting sectors such as Communications, Energy, Transportation Systems, and Water and Wastewater Systems across the United States and its territories. Our emulation of their tactics reveals that they focus on disrupting infrastructure and collecting sensitive data using living off-the-land techniques and long-term persistence. Our threat mirrors their actions from initial discovery and enumeration to data exfiltration and lateral movement, emphasizing the critical need for enhanced cybersecurity measures to defend against such sophisticated attacks.

Want to learn more about what SCYTHE's Empower offering can do for you? Reach out to us here.

POWER TO THE PURPLE 1-4May 15 Workshop - Power to the Purple

Register today! In this 3-hour live hands-on workshop, you will be introduced to Purple Team Exercises and play the role of Cyber Threat Intelligence, the red team, and the blue team.

By the end of this workshop, attendees will:

🦄Learn the basics of Purple Teaming through the study of PTEF.

🦄Setup and utilize Command and Control (C2) frameworks.

🦄Consume Cyber Threat Intelligence from a known adversary.

🦄Extract adversary behaviors/TTPs and map them to the MITRE ATT&CK framework.

🦄Play the Red Team by creating and executing adversary emulation plans.

🦄Emulate the adversary behaviors in a small environment consisting of a domain controller, member server, and a Linux system.

🦄Play the role of the Blue Team and look for Indicators of Compromise and threat Behaviors.

🦄Deploy and utilize Sysmon and popular SIEM frameworks to detect and hunt for Emulation behaviors.

Register to Connect at RSA

Don't miss out on the chance to connect with SCYTHE and our platinum unicorn partners, IANS & Finite State! Register now for our insightful thought leader sessions that delve into the most pressing cybersecurity issues, network during VIP unicorn happy hours & snag some exclusive swag. Here's a snapshot of our lineup.

RSAC 2024 Social (1)


About the Author

Trey Bilbrey is a Lead Adversary Emulation Engineer at SCYTHE, specializing in Purple Team Exercises, Threat Emulation, Critical Infrastructure, and holistic cyber operations. Trey's 15 years of industry experience has allowed him to become an excellent educator, defender of networks, and a cultivator of cybersecurity professionals. Prior to joining SCYTHE, Trey held positions at notable organizations such as Hack The Box (HTB Academy content Developer), The Army Corps of Engineers (ICS/SCADA Penetration Testing), and a veteran of the United States Marine Corps ( Defensive and Offensive Cyber Operations). Current certifications include the CISSP, GICSP, GCIP, and K>FiveFour RTAC.


SCYTHE represents a paradigm shift in cybersecurity risk management, empowering organizations to Attack, Detect, and Respond efficiently. The SCYTHE platform enables collaboration between red, blue, and purple teams to build and emulate real-world adversarial campaigns. SCYTHE's innovative dual-deployment options and comprehensive features ensure a proactive cybersecurity approach. Headquartered in Arlington, VA, SCYTHE is privately funded by distinguished partners dedicated to shaping a more resilient cybersecurity landscape.

Latest Posts

Threat Thursday: February
February 22,2024
Threat Thursday: January
January 18,2024