“A Vision for Distributed Red Team Operations” ▫ “Advanced Threat Tactics: Course and Notes” ▪ Cybersyndicates.com - Alex Rymdeko-Harvey ▫ “6 Red Team Infrastructure Tips”
DNS C2 ▫ Short-term DNS C2 ▫ Short-term HTTP C2 ▪ Four redirectors (VPS hosts) ▫ Two for DNS C2 via socat/iptables ▫ HTTP C2 via Apache ▫ HTTP payloads via Apache ▪ SMTP server (VPS host) ▪ Four domains
SimilarWeb score ▫ High number of backlinks ▪ Register pre-used domains ▪ Register domains in same category ▪ Finance/Healthcare usually have firewall exceptions for SSL
wire ▪ Impersonate adversary or internal applications ▪ Malleable C2 -> Cobalt Strike ▪ Communication Profile -> Empire ▪ Use custom profiles on every server!
fingerprint response ▫ Easy-to-spot, but not Nigerian Prince ▫ Use completely different infrastructure ▫ Perform far in advance ▪ WATCH ALL LOGS ▫ Look for CURL/WGET/Python requests ▫ Geolocate IPs ▫ ID appliances ▫ ID incident response actions
▪ Split hosts amongst providers ▫ (Pay attention to terms of service!) ▪ Keep elements as independent as possible ▪ Forward all logs to central server via rsyslog
Certs ▫ Self-Signed ▪ Consistent URL patterns ▫ /admin.php etc.. ▫ Repeated intervals with Bro ▪ Research common C2 platforms ▫ (low hanging fruit for defenders) ▫ Stagers are easy to spot