Red Team Infrastructure

Proposed Scalable Infrastructure for Operational Resiliency

Preface

EDRs will attempt a hostile scanning of IP addresses found from any files or implants dropped to disk like the following:

The proposed infrastructure design uses mod_rewrite to redirect non-beacon traffic (controlled by the Malleable Profile) to a legitimate looking website. The idea is to allow quick tear down and spin up of redirectors in the case of IP blacklisting, and to create an illusion that everything appears legitimate.

C2 Infrastructure with Redirectors

Bypassing Egress Filtering

On a network with strict egress filtering policy, it may be easy to gain code execution/run a beacon implant, but difficult to egress out of it. In most real world engagements, this is implemented by forcing allowed outbound connections to go through a proxy locked behind system settings.

As a HTTP/HTTPS beacon uses the POST method to send output back to the Team Server, this means that while a beacon can check-in frequently (via GET method) and execute tasks successfully, the operator will receive no output back on the CobaltStrike client.

To circumvent this, we can abuse CDNs and other cloud services to mask all the POST methods sent by the agent. This is usually done via:

• Complying with network proxy rules (such as those with wildcard outbound access to specific domains)

• Domain Fronting

Reviewing Deployment Guide

In some cases, deploying a redirector in a strategic Cloud Provider can be advantageous. For instance, Trend Micro has a default allow rule to *.amazonaws.com, which happens to be the domain used by EC2 instances for their public hostname.

And another example of Citrix Virtual Desktop recommending a wildcard whitelist access to *.blob.core.windows.net.

Amazon CloudFront (Domain Fronting)

Integrating CloudFront for Domain Fronting

As there is no way to predict the origin IP of a CloudFront distribution (it being a CDN means it doesn’t come as a single source due to the distributed nature), you’ll need to configure an inbound traffic rule of HTTP from 0.0.0.0/anywhere on the EC2 to allow CloudFront access.

To offset this security tradeoff, you can configure a custom header from CloudFront, which will be forwarded to the EC2 every time a request is made; then use mod_rewrite in the Apache instance (EC2) to redirect traffic that matches the custom header.

Google Cloud Run (Domain Fronting)

Domain Fronting with GCP is super straightforward thanks to this project by Praetorian. A simple PoC below demonstrates how a curl command to https://google.com ended up hitting our CobaltStrike HTTPS listener.

The logs from Google Cloud Run also confirms traffic redirection from https://*.run.app to our TeamServer.

CDN may rewrite your HTTP requests in ways that break your Malleable C2 profile, which leads to broken job tasking and check-ins. If your curl command goes through successfully, but failed at getting a beacon callback, this blogpost might help: https://www.cobaltstrike.com/blog/broken-promises-and-malleable-c2-profiles

Azure Blob Storage

Related Projects:

• https://specterops.io/blog/2026/01/30/weaponizing-whitelists-an-azure-blob-storage-mythic-c2-profile/?Latest_Campaign=701Uw00000eT5Tc

• https://blog.quarkslab.com/proxyblobing-into-your-network.html

• https://github.com/quarkslab/proxyblob

Tailscale

Related Projects:

• https://github.com/Yeeb1/SockTail