Operational Security (OPSEC)

# Separate infrastructure from personal
# - Use dedicated VMs for operations
# - Separate attack machine from analysis
# - Don't mix personal and operational accounts

# Domain protection
# - Register domains through privacy services
# - Use aged domains with clean reputation
# - Categorize domains appropriately

# IP protection
# - Use cloud providers (rotate frequently)
# - Multiple redirector layers
# - No direct connection to team server

# Communication security
# - Encrypted comms between operators
# - Separate channels for different sensitivity
# - No operational details on personal devices

# Before deployment:
# - Test against target's EDR (if possible)
# - Remove debug information
# - Strip metadata from files
# - Randomize file hashes

# Metadata removal
exiftool -all= payload.exe

# Timestomping (match legitimate files)
touch -r /Windows/System32/cmd.exe payload.exe

# File signing
# - Sign with valid certificate
# - Or choose unsigned programs that blend in

# Unique payloads per target
# - Different hashes per deployment
# - Rotate C2 profiles

# Time-based OPSEC
# - Operate during business hours
# - Match beacon timing to normal traffic
# - Avoid weekends/holidays unless target operates then

# Process OPSEC
# - Inject into processes that make sense
# - cmd.exe from Word = suspicious
# - PowerShell from svchost = suspicious
# - Match process behavior to its normal use

# Network OPSEC
# - Use expected protocols (HTTPS, DNS)
# - Match traffic patterns to normal
# - Avoid connections to unusual destinations
# - Use legitimate cloud services

# Traffic blending
# - Use HTTPS with valid certificates
# - Mimic legitimate application traffic
# - Use domain fronting where possible
# - Jitter callback times (20-50%)

# Beacon configuration
set sleeptime "60000";    # 60 seconds (longer = stealthier)
set jitter "40";          # 40% randomization
set data_jitter "100";    # Randomize data size
set useragent "...";      # Match browser strings

# DNS C2 considerations
# - Slower but harder to detect
# - Use legitimate-looking subdomains
# - Spread queries across time

# Avoid suspicious commands
# BAD: whoami, ipconfig, net user (immediately suspicious)
# BETTER: Use C2 built-ins that don't spawn processes

# Sliver built-ins (no process spawn)
sliver > whoami          # Built-in, no cmd.exe
sliver > ifconfig        # Built-in
sliver > ps              # Built-in

# Cobalt Strike
beacon> shell whoami     # Spawns cmd.exe (detected)
beacon> run whoami       # Also spawns process
beacon> getuid           # Built-in (stealthier)

# Process-less alternatives
# - Read registry for user info
# - Query WMI in-process
# - Use C# assemblies that don't shell out

# Know what's being logged

# Windows Security Log
# - 4624: Logon
# - 4625: Failed logon
# - 4648: Explicit credentials
# - 4672: Admin logon
# - 4688: Process creation (if enabled)

# PowerShell logs
# - 4103: Module logging
# - 4104: Script block logging
# - 400/403: Engine start/stop

# Sysmon (if present)
# - Event 1: Process creation
# - Event 3: Network connection
# - Event 7: Image loaded
# - Event 8: CreateRemoteThread
# - Event 10: ProcessAccess

# EDR-specific logging varies

# File artifacts to avoid
# - Don't drop tools to disk
# - Use in-memory execution
# - If file needed, use temp directory

# Execute-assembly (in-memory)
sliver > execute-assembly Rubeus.exe kerberoast

# If file required, clean up
sliver > rm C:\temp\tool.exe

# Memory-only operations
# - Reflective DLL loading
# - Process injection
# - Execute in existing process context

# Registry artifacts
# Persistence creates registry keys
# Plan for cleanup or use stealthier methods

# Pre-plan cleanup
# Document everything you create/modify

# File cleanup
Remove-Item -Path C:\path\to\file -Force
[System.IO.File]::Delete("path")  # No recycle bin

# Registry cleanup
Remove-ItemProperty -Path "HKCU:\Software\..." -Name "ValueName"

# Event log cleanup (usually not recommended)
# Clearing logs is suspicious itself
wevtutil cl Security  # Very suspicious!

# Better: Blend in rather than erase
# Let normal log rotation clear old entries

# Know IR procedures so you can avoid triggering them

# Triggers for IR:
# - EDR alerts
# - SIEM correlation rules
# - Threat hunting queries
# - User reports

# If detected:
# - Go quiet (increase sleep time)
# - Assess what was detected
# - Determine if operation is burned
# - Coordinate with engagement lead

# Abort criteria (discuss pre-engagement):
# - Active IR investigation
# - Legal/compliance issues
# - Unintended impact

# Operator communications
# - Use encrypted channels (Signal, etc.)
# - Separate channels for different sensitivity
# - No operational details on personal devices
# - Assume all communications are monitored

# Documentation
# - Secure storage for notes
# - Encrypt operational data
# - Sanitize before sharing
# - Destroy after engagement

# Client communications
# - Separate from operational channels
# - No technical details of active operations
# - Report through established channels