Threat Thursday

Threat Thursday: May 2024

Written by Trey Bilbrey | May 30, 2024 6:59:53 PM

This month's Threat Thursday delves into Data Loss Prevention (DLP), the Redcurl cybercrime group, and PowerShell Abuse. May has been a great month at SCYTHE, and we want to keep it going, so we have scheduled some awesome new summer content for you all. (DLP, CyberCriminals, and workshops, OH MY!)

New Threat Releases

Data Loss Prevention

As part of our cyber fitness strategy, we are taking a unique approach to our exploration of Data Loss Prevention (DLP). We've developed a comprehensive DLP threat simulation to assess the strength of our defenses against various data exfiltration channels. In this threat, we will exfiltrate (simulated) Personal Identifiable Information (PII) and other sensitive information over multiple C2 channels to determine DLP effectiveness. This test will aid in ensuring your sensitive data is protected and in compliance with federal regulations, and it will assess your overall DLP effectiveness.

 


RedCurl IOC

RedCurl, aka Earth Kapre & Red Wolf, is a Russian-speaking cybercrime group that has been active since at least 2018. They specialize in corporate cyber espionage, targeting entities across various industries in Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S.

In this IoC threat, we will emulate their novel defense evasion technique of redirecting output via echo into BAT files, which are then executed to spawn malicious commands, create scheduled tasks, and generate network logs to known RedCurl C2 infrastructure.

 

Want to learn more about what SCYTHE's Empower offering can do for you? Reach out to us here.

 

REGISTER: June 6 Workshop - Threat Thursday Live 

Register today! 🦄

By mimicking adversarial threats, organizations can evaluate, test, and train against specific adversarial behaviors to measure their security control's detection and prevention efficacy. But, testing individual actions is not enough or even close to 'real-world' behavior, as these tests often ignore context and state. Join the SCYTHE TNT Team - Trey Bilbrey & Tyler Casey, and Jake Williams (@Malware Jake) on June 6th as we discuss the flaws in traditional BAS testing, ways to improve it, and get a peek under the hood of a new dynamic threat that SCYTHE is releasing.

 

REGISTER: June 12 Workshop - Detecting PowerShell Abuse 

Register today! 🦄

There has been a lot of talk recently in the cybersecurity community about whether or not PowerShell is a dead attack vector. But there is a reason it is still widely talked about and seen in the wild. During this workshop, Trey and Tyler will demonstrate how threats are still using and abusing PowerShell to Live off the Land (LOTL) and how you can detect the abuse.

Target Audience:
Blue or Purple teamers
 
What to Expect:
*Learn how PowerShell is being abused in the wild.
*Learn how to detect PowerShell Usage.
*Learn how to recognize the use of unmanaged PowerShell.
*Learn how to recognize common Living-Off-The-Land (LOTL) techniques.

 

About the Author

Trey Bilbrey is a Lead Adversary Emulation Engineer at SCYTHE, specializing in Purple Team Exercises, Threat Emulation, Critical Infrastructure, and holistic cyber operations. Trey's 15 years of industry experience has allowed him to become an excellent educator, defender of networks, and a cultivator of cybersecurity professionals. Prior to joining SCYTHE, Trey held positions at notable organizations such as Hack The Box (HTB Academy content Developer), The Army Corps of Engineers (ICS/SCADA Penetration Testing), and a veteran of the United States Marine Corps ( Defensive and Offensive Cyber Operations). Current certifications include the CISSP, GICSP, GCIP, and K>FiveFour RTAC.

About SCYTHE

SCYTHE represents a paradigm shift in cybersecurity risk management, empowering organizations to Attack, Detect, and Respond efficiently. The SCYTHE platform enables collaboration between red, blue, and purple teams to build and emulate real-world adversarial campaigns. SCYTHE's innovative dual-deployment options and comprehensive features ensure a proactive cybersecurity approach. Headquartered in Arlington, VA, SCYTHE is privately funded by distinguished partners dedicated to shaping a more resilient cybersecurity landscape.