Red Team Infrastructure
Proposed Scalable Infrastructure for Operational Resiliency
Default
EDRs will attempt a hostile scanning of IP addresses found from any files or implants dropped to disk like the following:
The infrastructure design uses mod_rewrite to redirect non-beacon traffic (controlled by the Malleable Profile) to a legitimate looking website. The idea is to allow quick tear down and spin up of redirectors in the case of IP blacklisting.
Extreme Egress Filtering
On a network with strict egress filtering policy, it may be easy to gain code execution/run a beacon implant, but difficult to egress out of it. In most real world engagements, this is implemented by forcing allowed outbound connections to go through a proxy locked behind system settings.
As a HTTP/HTTPS beacon uses the POST method to send output back to the Team Server, this means that while a beacon can check-in frequently and execute tasks successfully, the operator will receive no output back on the CobaltStrike client.
By adding Domain Fronting capabilities, we can abuse CDNs to mask all the POST methods sent by the agent.
Last updated