Posts

Showing posts from January, 2019

SCYTHE: Starting 2019 with Linux and ATT&CK™

Image
SCYTHE: Starting 2019 with Linux and ATT&CK™
The SCYTHE team has been hard at work on our new release and we are proud to present the next major evolution of the SCYTHE Continuous Red Team Automation platform. What’s New More auto-generated implantsLinux supportOne-Click MITRE ATT&CK ReportNew Threats in the Threat CatalogNew Logging Output OptionLinux Implant Builder The campaign creation menu now allows you to select an operating system for Linux campaign creation. You will have the SCYTHE automation and ease of use you have come to expect, but the platform will now produce Linux executable to deploy as your own custom malware/agent. MITRE ATT&CK Report Continuously monitor how well the organization’s risk posture is fortified across the MITRE ATT&CK matrix. In addition to our existing MITRE ATT&CK functionality, SCYTHE now supports a one-click report, showing you which ATT&CK Techniques were utilized in your campaign and summary of the results. This report can …

Fileless Malware and the Threat of Convenience

Image
Fileless Malware and the Threat of Convenience
Many of the conveniences brought via modern tools, operating systems, and applications also bring means for an adversary to execute actions while under the guise of a valid service. This is seen distinctly in the increased use of Fileless Malware. Fileless Malware can be broadly defined as execution of malicious instructions in memory with no requirement for these instructions to be backed by a file on disk. One way to understand this is through the following example: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo'); The above: utilizes the legitimate Windows utility rundll32.exe,loads the DLL mshtml.dll, calls “RunHTMLApplication” entrypoint,executes the Javascript command, andultimately creates a popup containing the word foo. A Blue Team defender can use Process Monitor to witness all of the above simply searching for rundll32. But what makes the previous command an example of fileless execution? I…