Threat Emulation: Agent Tesla


Welcome to the May 2023 SCYTHE #ThreatThursday! This edition features an emulation based on Agent Tesla malware.

Executive Summary

Agent Tesla is a remote access trojan (RAT) written for the .NET framework that was first discovered in 2014. It is often leveraged as Malware-as-a-Service to gain initial access and then download additional second-stage tools. Agent Tesla is primarily an information stealer with the ability to monitor keystrokes, capture screenshots, steal credentials, and exfiltrate back to the threat actor using a variety of protocols. Data released from Infosecurity Magazine reveals that info-stealing malware accounted for the three most widely used variants this past fall (16% of global detections) and, in October, Agent Tesla was the most widespread malware (impacting 7% of organizations).

Cyber Threat Intelligence


Agent Tesla malware spreads primarily via phishing emails where users are lured into executing malicious files disguised as Microsoft Office documents, Shortcuts, zip, image files, etc. When executed these initial payloads connect to a remote command and control (C2) server to download later stages of the malware. After initial access, persistence is achieved through modification of the registry Run keys or via the creation of scheduled tasks. The malware then proceeds to collect data from browsers, mail, and VPN clients and exfiltrate using various protocols or applications (SMTP, FTP, Telegram, Discord, etc).




  • Windows operating systems
  • Government organizations
  • Oil and Energy Sector


  • Data theft/data exfiltration


  • Persistence
    • Modify registry Run keys
    • Creation of scheduled tasks
  • Defense Evasion
    • Payload obfuscation
  • Credential Theft
    • Specifically targets browsers and email (Chrome, Firefox, Edge, Outlook, etc)
  • Key-logging
  • Screenshot capture
  • Data Exfiltration
    • Various protocols are used (SMTP, FTP, Telegram, Discord, etc)

SCYTHE Customers can access the full blog in the customer portal to read more about the automated steps in this new emulation along with recommended detection opportunities.

Happy Hunting!



SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Columbia, MD, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.