SCYTHE Red Team CYOA

Blue Sky has supplied some rules of engagement. Most importantly, physical access is off the table. So your team lead decides that you must use spearphishing with an attachment (T1193). You have a master social engineer on the team who has crafted the lure for the phish, and another “capabilities developer” who has crafted the initial execution method in the attached payload. Your job is to handle the operation after initial access is acquired. ... ... Your phish payload lands on a host, executes, and calls back to your command and control server. What is the first thing you do? (align: "==><==")[ ] (align: "<==")[[[Run Mimikatz to collect plaintext passwords -> Run Mimikatz to collect plaintext passwords]]] (align: "<==")[[[Figure out where I am -> Figure out where I am]]] (align: "<==")[[[Figure out what’s running on this host -> Figure out what’s running on this host]]] (align: "<==")[[[Prompt the user for their password -> Prompt the user for their password]]]

Congrats! It’s a Windows 7 host, so credentials are in memory in the LSASS process by default. You now have 2 plaintext passwords: one for Bob, the current user your payload is running under, and another one: Eve. You quickly check Active Directory — Eve’s account is a Domain Admin! W00t! With Domain Admin credentials in your possession, the world is your oyster! (align: "==><==")[ ] (align: "<==")[[[Try Eve's credentials -> Try Eve's credentials]]] (align: "<==")[[[Try Bob's credentials -> Try Bob's credentials]]]

You didn’t prioritize discovering what is running on the host first. Instead, you try to figure out where your phish payload landed. Let's see where this goes (align: "==><==")[ ] (align: "<==")[[[Run ipconfig, whoami, and net commands->Run ipconfig, whoami, and net commands]]] (align: "<==")[[[Put execution guardrails in your payloads->Put execution guardrails in your payloads]]] (align: "<==")[[[Watch the egress IP address->Watch the egress IP address]]]

It's important to find out what's running on the host. After all, that is how you determine what you can safely run... But how will you do it? (align: "==><==")[ ] (align: "<==")[[[Run the tasklist, reg, and net commands -> Run the tasklist, reg, and net commands]]] (align: "<==")[[[Review running processes via implant -> Review running processes via implant]]] (align: "<==")[[[Use the Windows API -> Use the Windows API]]]

You saw a nifty tool the other day on a blog. It generates a dialog box that looks similar to the Windows security UI, prompting for passwords. You decide to use it. It’s convenient and executes as in-memory PowerShell. You copy the PowerShell, paste it into your Command and Control server’s console, and wait. The response came back: empty string. No password. What happened? Try it again. After waiting, the response is another empty string. Argh! (align: "==><==")[ ] (align: "<==")[[[Try to debug -> Try to debug]]] (align: "<==")[[[Run Mimikatz to collect plaintext passwords -> Run Mimikatz to collect plaintext passwords]]]

You are careful. You always want to know where your phishes land. You really don’t want to have a tangle with the business end of the Computer Fraud and Abuse Act (CFAA). You watched a conference talk once about wrapping payloads with execution guardrails — basically just a conditional check to ensure the host is running on the right domain. It’s been your preference ever since. The problem is, you can’t predict exactly what the domain is before you get there, so before this phish ever landed you sent in a really simple “recon phish” — basically a phish with no malicious payload. It grabbed the User ID, Domain, and a few small details about the host and leaked them to a web service you control. You sent it yesterday, and just got the results back this morning. The user is Bob and the domain is CORP. You prepared your REAL payload with the guardrail to only execute if the domain == CORP. Then you sent in the phish, which is now beaconing home to your command and control. You start looking around on this new host. It seems empty. No real files or signs of life. It doesn’t seem to be able to query the domain it’s joined to, nor can it see any other hosts in its subnet. The user isn’t an admin. You don’t see anything of value, but you keep poking at this host for a day or two. Eventually, you resend your phish to a different person, also with the guardrails for the CORP domain. A half day later or so, you get another callback, this time the user is Alice, but her machine also is basically lifeless and empty. What’s going on? This repeats 3 or so times, then you’re out of time. (align: "==><==")[ ] (align: "<==")[[[Game Over -> Ending: guardrails]]]

You have a process you always follow. You send non-malicious emails from infrastructure that you never reuse in any sort of malicious way to email addresses of employees that you harvested using OSINT techniques. These emails look like quality marketing emails for a company that you’ve maybe heard of before (but you actually haven’t). They’re not super memorable. Each victim received a slightly different email with trackers in the image, just like a marketing firm might use. Now you know exactly which user agent and external IP address belongs to each of your recipients. From there, you can quickly analyze that most of the mobile devices are likely from random mobile IP addresses — you don’t care about those in this case. The user agents indicating full endpoint devices tend to cluster around 2 different IP addresses, each of which appear in one of two major cities, just where your OSINT suggested their offices would reside. As you prepare your weaponized phish from different infrastructure you setup a rule on your C2 web server to only pass requests from those 2 IP addresses. Any other IP address will receive a 404 not found response and be unable to talk to your C2 server. This subtle configuration will ensure that any errant landing payloads won’t result in full access. Coincidentally, later in the campaign when an incident responder begins to reverse your malware, they also won’t be able to communicate with your C2 server from their sandboxes. Now it’s time to find out what’s running on this host. How do you do it? (align: "==><==")[ ] (align: "<==")[[[Run the tasklist, reg, and net commands -> Run the tasklist, reg, and net commands]]] (align: "<==")[[[Review running processes from VBA in the macro-> Review running processes from VBA in the macro]]] (align: "<==")[[[Use the Windows API-> Use the Windows API]]]

You prefer old school commands because you know that running PowerShell is a questionable approach these days; so many EDR products flag its use. You run “tasklist”, and out comes a list of process names and IDs. You notice many you recognize, some you don’t — you’ll have to Google them and figure out what they may be later. Then you run a whole series of “reg” commands — you use a script that you always use to do this, because you can’t possibly remember all of the registry keys that you need to query. One by one, you get the output and drop it into a folder to analyze. Then you run a few net commands, including “net start” to get a list of all of the Windows services to run. You also run a few “dir” commands to locate common folders for applications that may be installed. (align: "<==")[ ] (align: "<==")[[[Continue reads "commands" -> Continue reads "commands"]]]

Your implant has a built-in way of collecting processes and all of the auto-run hooks into the operating system, spitting it out to your screen in an easy to read format. Everything looks good — looks great, actually. There doesn't seem to be anything that would indicate a sandbox. The implant checks for the presence of security products on the host. If it thinks it’s safe — it will serve up the next stage and directions to use one of 4 ways to initiate execution. The only flaw is if there is a new EDR product your team has never seen before, and you don’t know what its capabilities are. “Oh well, that’s what debriefs are for,” you say to yourself. You watch your console when an audible beep wakes you up from your daydream to inform you the first stage has been successfully opened. The safety checks were about to run, and soon you’d know if all of that R&D time would pay off in this organization. It did. Three EDR products were recognized. (align: "==><==")[ ] (align: "<==")[[[Test the odds and execute -> Ending: Test the odds and execute]]] (align: "<==")[[[Figure out where I am first -> Figure out where I am first]]]

You know all about detections that come from command line commands. They each spawn new processes. Spawning processes is expensive for an adversary. Each one risks being so noisy, especially with command line options. Yes, you’re aware of techniques to start a benign process in suspend mode, and then replace the actual target of that process after the process is already in the process tree. It’s a neat trick to get around EDR products that only watch process trees, but some EDR products hook the same Windows API calls you need to create the process in suspend mode so they can notice the suspend flag, and, well, that’s too risky for you. So the first thing your implant does is use the Windows API to enumerate what processes are running, what services are installed, even what drivers are present on the system — all using very vanilla Windows API calls that so many legitimate business applications use for legitimate purposes, so you’re confident it will never get flagged. Your implant doesn’t spawn a new process to do that. It doesn’t even inject code into itself to do it — it’s not safe to try any of that until you know what’s running, so your implant brings that functionality with it — all part of its initial stage. “Smart” you say to yourself. In just a few seconds, your implant dumps a list of all running processes, and starts comparing them to a list of known security products. Three immediately stand out. Then it goes back for drivers for completeness, and does the same — no additional security products, just the three. You’re mostly familiar with their defensive feature sets. You feel confident. You begin to slowly and methodically review the rest of the host to see what’s present. “No need to rush these things and make a mistake,” you say to yourself. Precisely 93 minutes after the initial callback from the first host, a second implant calls back. It must have the same egress IP address — because you set a filter on your C2 server preventing any other IP addresses from communicating to your server. This is curious — you only sent one phish. Maybe Bob opened it twice? You begin to triage this host — you see it has a different hostname. You initiate the implant’s tasking to enumerate via the Windows API all of the running processes, services, and drivers. All of the results come back curiously empty. “How’s that possible?” you wonder. Then both implants’ callbacks are suddenly late. You have excellent jitter and randomness, so you it couldn’t be a network-based detection, could it? The implants are both definitely dead. It’s a shame, too, because you are really curious about the second one. You send two more phishes to two more employees. The engineer on your team who build the payloads put tracing into their execution. Within 30 minutes, you can see requests to a telemetry server indicating the payloads were delivered and the attachments opened, but no callbacks were made. You begin to suspect your callback domain has been burned, so you swap to a second payload that uses a second domain. Same results. Now, you’re wondering what else is burned. You spend the next several days trying to isolate, one at a time, all of the variables that may be getting your payload detected. You eventually run out of time. (align: "==><==")[ ] (align: "<==")[[[Game Over -> Ending: edr]]]

After an hour of looking, and sorting your results in your notes, you have a good list of your next steps to chase. Then your connection drops! What happened? “Maybe Bob just shut his laptop” you say to yourself. You send your phish to another user, Alice, from another SMTP domain that you frequently use on engagements. You give it an hour or so, but there’s no indication it was delivered. So, you switch to another domain. And another. You exhaust your list. None of them work. You run out of time. (align: "==><==")[ ] (align: "<==")[[[Game Over -> Ending: commands]]]

####You lose :( These commands have been around since the beginning of the command line, and you can execute them in your sleep, which is what you must have been, because you didn’t notice the endpoint controls running on this host. ####Credits Originally written by Tim Malcom Vetter. This Choose-Your-Own-Hackventure game was produced by SCYTHE, Inc. Bryson Bort Christine Piry Ateeq Sharfuddin Jorge Orchilles Adam Mashinchi Sean Sun ####THE END (align: "==><==")[ ] (align: "<==")[[[Play again->Choose Your Hackventure!]]]

####You lose :( You were spot on about your philosophy — spawning processes is expensive for the attacker, especially until you understand what is running on the host and what normal looks like. But you forgot one detail: your malicious document is spawning your payload. It’s a separate process. You’ve made an expensive choice, and in this case, it got you caught. You didn’t hit their objectives, but that’s OK. Your client went from being a tough target to an even tougher one. ####Credits Originally written by Tim Malcom Vetter. This Choose-Your-Own-Hackventure game was produced by SCYTHE, Inc. Bryson Bort Christine Piry Ateeq Sharfuddin Jorge Orchilles Adam Mashinchi Sean Sun ####THE END (align: "==><==")[ ] (align: "<==")[[[Play again->Choose Your Hackventure!]]]

So, you attempt to move laterally to another host using Eve’s Domain Admin password. Access Denied. What? Try again. Access Denied. Try again! (align: "==><==")[ ] (align: "<==")[[[Try Bob's credentials -> Try Bob's credentials]]]

You try Bob’s account, but it’s not an admin, so it does not have rights to perform the lateral movement. The target organization does not have any single factor externally-facing services. You need to prompt Bob for his two-factor authentication one-time-passcode. (align: "==><==")[ ] (align: "<==")[[[Prompt Bob for his OTP -> Prompt Bob]]] (align: "<==")[[[Try something else... ->Try something else]]]

So, you go to work building a user interface to prompt for the passcode. Thirty minutes later, you notice your shell stopped responding. Hmmm. (align: "==><==")[ ] (align: "<==")[[[Game Over ->Ending: passwords]]]

Wait... why isn't your your shell responding??? (align: "==><==")[ ] (align: "<==")[[[Game Over ->Ending: passwords]]]

####You lose :( Running Mimikatz tripped a silent alarm, which only took 7 minutes to get SOC attention. That’s an exceptional escalation window! You’ve got to bring your A game, Leroy Jenkins. ####Credits Originally written by Tim Malcom Vetter. This Choose-Your-Own-Hackventure game was produced by SCYTHE, Inc. Bryson Bort Christine Piry Ateeq Sharfuddin Jorge Orchilles Adam Mashinchi Sean Sun ####THE END (align: "==><==")[ ] (align: "<==")[[[Play again ->Choose Your Hackventure!]]]

####You lose :( Your “recon phish” sailed through the email security stack without issue, because it was only leaking a few details and not executing anything obviously malicious. Your second (malicious) phish, however, flagged on a YARA rule looking for common techniques to identify the domain combined with the presence of one of many strings containing identities of the company. ####Credits Originally written by Tim Malcolm Vetter. This Choose-Your-Own-Hackventure game was produced by SCYTHE, Inc. Bryson Bort Christine Piry Ateeq Sharfuddin Jorge Orchilles Adam Mashinchi Sean Sun ####THE END (align: "==><==")[ ] (align: "<==")[[[Play again->Choose Your Hackventure!]]]

It’s important to find out where you are. The question is, how do you do it? (align: "==><==")[ ] <div class="red"></div>(align: "<==")[[[Run ipconfig, whoami, and net commands->Run ipconfig, whoami, and net commands2]]] <div class="blue"></div>(align: "<==")[[[Put execution guardrails in your payloads->Put execution guardrails in your payloads]]] <div class="green"></div>(align: "<==")[[[Am I even in the right place?->Am I even in the right place?]]]

You run ipconfig: 10.42.98.19 Then you run whoami: CORP\Bob Then you run whoami /groups — no, Bob is NOT a local administrator, but he belongs to several Finance groups in Active Directory. You use the net commands to query Active Directory to see more information about those groups, as well as to list who the local administrators are for this host, and who the Domain Admins are for the entire domain. (align: "==><==")[ ] (align: "<==")[[[Continue reading “commands" -> Continue reads "commands"]]]

####You lose :( It seems you've tripped a silent alarm, which only took 7 minutes to get SOC attention. That’s an exceptional escalation window! ####Credits Originally written by Tim Malcolm Vetter. This Choose-Your-Own-Hackventure game was produced by SCYTHE, Inc. Bryson Bort Christine Piry Ateeq Sharfuddin Jorge Orchilles Adam Mashinchi Sean Sun ####THE END (align: "==><==")[ ] (align: "<==")[[[Play again ->Choose Your Hackventure!]]]

####You lose :( You test your luck and execute. The staging server instructs the VBA stager to use an injection technique. You wait and see. But it's been a long time and your implant should have called back by now... Try to be a bit more careful next time! ####Credits Originally written by Tim Malcom Vetter. This Choose-Your-Own-Hackventure game was produced by SCYTHE, Inc. Bryson Bort Christine Piry Ateeq Sharfuddin Jorge Orchilles Adam Mashinchi Sean Sun ####THE END (align: "==><==")[ ] (align: "<==")[[[Play again->Choose Your Hackventure!]]]

####You lose :( You didn’t look where you landed or what was running. You didn’t notice the EDR product running or the fact that it was PowerShell v5 with central logging turned on. There’s always next time. ####Credits Originally written by Tim Malcom Vetter. This Choose-Your-Own-Hackventure game was produced by SCYTHE, Inc. Bryson Bort Christine Piry Ateeq Sharfuddin Jorge Orchilles Adam Mashinchi Sean Sun ####THE END (align: "==><==")[ ] (align: "<==")[[[Play again->Choose Your Hackventure!]]]

You try on your VM. After a few minutes, you think you figured it out: if the user clicks the “x” it just exits and returns an empty string password. You go look at the source code. You’re a great Googler. A few minutes later, you found a Stack Overflow article showing you how to disable the “x” button. You repackage your payload with the fix and send it in. This time you get a response: “qwerty” No way that’s the password. You attempt to verify it. Result: authentication failure. (align: "==><==")[ ] (align: "<==")[[[Try to debug... again -> Debug again]]] (align: "<==")[[[Run Mimikatz to collect plaintext passwords -> Run Mimikatz to collect plaintext passwords]]]

You go back to the source code. A few more Stack Overflow articles and you have a version of the password prompt that won’t exit until it gets a password that successfully authenticates. Send the new one. Wait for it … Got a result. This one looks real. Finally! You attempt to verify it. Result: authentication success! It’s legit! Your code works! Now, what to do with it? (align: "==><==")[ ] (align: "<==")[[[Try out your new creds -> New Creds]]]

You didn’t notice the user wasn’t an admin. There are no lateral movement opportunities with that credential. You consider modifying your code again to prompt for an admin, looping until you get actual admin access. Then … You noticed your shell stopped calling home. You try sending your phish to another target. It never arrives. Maybe it’s your hosting provider? You swap and try again. Still never arrives. You run out of time. (align: "==><==")[ ] (align: "<==")[[[Game Over -> Ending: Password]]]

It’s time for your next phish. Most malicious documents rely on VBA to serve as the launcher for the actual malware. Even if they transition to PowerShell, WMI, or some live off the land executable to initiate the next stage, it has to start in VBA. The staging server instructs the VBA stager to use a certain injection technique which is not monitored by the EDR product, according to the last time your team tested it, and to inject a DLL version of your implant into a browser process that was running. Now your full implant is executing and calling back to the final C2 server. After a little more analysis and peer review with a teammate, you settle in on a low-and-slow persistence technique, then move on to deploy a second short haul C2 to do all your “work” from, in case your actions on target result in detections. Fast forward: you demonstrated full control of the accounts payable system, which was your primary objective. You wrote a hundred-plus page report (that nobody will likely ever read), but you did have some very engaging debrief discussions with SOC engineers, who crafted several new detections as a result. You gave them a sample payload they can run to test the injection technique you used, and it pops every time now. They thank you for your time, deploy the detection to the rest of the enterprise, and tell their CISO they can’t wait for the next engagement with them. You know it will be much harder next time. Your stomach churns with anxiety for a few moments while you ponder that, but you recall you have plenty of time to come up with something new, and remind yourself this is what it’s all about anyway. THE END (align: "==><==")[ ] (align: "<==")[[[THE END -> Ending: Epligoue]]]

####You win! :) Yes, this is the path in this particular storyline that achieves the outcome the Red Team wanted to achieve. It is not a prescription of exactly how you should structure all of your engagements. So many details have to be right. Hopefully this challenged the way you think about active defense and helped you to develop a whole new respect for the toughest defenders. They set the bar for us all. If it wasn’t for them, we’d all still be playing the same game, over and over again, on novice level. Who wants to do that? Not you. THE END ####Credits Originally written by Tim Malcom Vetter. This Choose-Your-Own-Hackventure game was produced by SCYTHE, Inc. Bryson Bort Christine Piry Ateeq Sharfuddin Jorge Orchilles Adam Mashinchi Sean Sun ####THE END (align: "==><==")[ ] (align: "<==")[[[Play again->Choose Your Hackventure!]]]

You check to see if you've landed on the right box... It seems like it belongs to the accounts department so you search around for some .docx and .xslx files. Success! You find files like "2019-Q2-Financials.xslx"! Fast forward: you demonstrated full control of the accounts payable system, which was your primary objective. You wrote a hundred-plus page report (that nobody will likely ever read), but you did have some very engaging debrief discussions with SOC engineers, who crafted several new detections as a result. You gave them a sample payload they can run to test the injection technique you used, and it pops every time now. They thank you for your time, deploy the detection to the rest of the enterprise, and tell their CISO they can’t wait for the next engagement with them. You know it will be much harder next time. Your stomach churns with anxiety for a few moments while you ponder that, but you recall you have plenty of time to come up with something new, and remind yourself this is what it’s all about anyway. THE END (align: "==><==")[ ] (align: "<==")[[[THE END -> Ending: Epligoue]]]

<div class id="focusme"> #### Choose Your Own Hackventure You’re a red team operator, working for Helios Inc, a leading offensive cybersecurity firm. Your assingment is to find a way into Blue Sky, a financial institution, and show that you can steal information from their accounting department. (align: "==><==")[ ] (align: "<==")[[[Begin your hackventure!->Choose Your Hackventure]]]