Safe Red Team Infrastructure

This waterpark slide has been my analog for this Red Team infrastructure model
A simple model that works for consulting or internal corporate Red Teams.

Domain Fronting

This same concept can be applied using Domain Fronting (for more info on this, see “Simplifying Domain Fronting”). All we have to do is add in a Content Delivery Network (CDN) that supports domain fronting and locate a frontable DNS domain name (out of scope for this article, I’m assuming you’ve already done that).

A more advanced consulting Red Team model with Domain Fronting as an option.

IP Laundry

If you’re an internal Red Team and you want to keep your honest Blue Team honest, then you can implement an IP laundering process. The idea is the exact same as the first set of instructions, except you’ll chain 2 cloud hosts together. The first host does nothing but operate a series of extra TCP redirector tunnels. No payloads, C2 callbacks, or any other traffic will talk directly to it. It’s simply a link in the chain. This way, a blue teamer performing traffic analysis and sneaking a peek at the corporate red team infrastructure can NOT know exactly what is going on. All they’ll see is traffic from known red team servers to an IP address on the Internet that is not involved in any traffic to corporate endpoints. The trail is washed.

An internal corporate Red Team model to keep C2/data on-premise but simulate external threat actors.

Credential Phishes

It’s also possible to replicate this model for credential phishes. Simply install a web application with the phish login form and the necessary code to receive an HTTPS request, parse the credentials, and log them safely to disk, on the C2 server instead of, say, Cobalt Strike. [This can be done in parallel on a second internal host using a second copy of the external infrastructure so that it can be live at the same time as your C2 server.] This will result in credentials being sent end-to-end encrypted using the SSL certificate and private key of your on-premise server without exposing credentials to the cloud host.

Tradecraft Considerations

To maximize tradecraft, a variety of cloud host providers, geographic locations, DNS domains, DNS registrars, domain categories, and C2 server types should be employed. The more variety, the better. Proficient Red Teams often layer this architecture to minimize impact when the Blue Team identifies and blocks traffic to/from a single C2 listener/path.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store