Cobalt Strike Hunting, Red Teams/Threat Actors TTP’s
Red Teams/Threat Actors methods in order to bypass web proxy filtering/categorization
Well, so Red Teams/Threat Actors sometimes are buying categorized/expired domains from various sources in order to bypass a company enterprise proxy filtering/categorization.
Expired Domain Name Search Engine is a very good example.
Expired Domains | Daily Updated Domain Lists for 477 TLDs
Changed how the settings are stored The settings storage system is new. If everything works correct, you should not…
and there are few other very handy tools available on GitHub from where expired/categorized domains can be acquired.
Authors Joe Vest (@joevest) & Andrew Chiles (@andrewchiles) Domain name selection is an important aspect of preparation…
Domain name selection is an important aspect of preparation for penetration tests and especially Red Team engagements. Commonly, domains that were used previously for benign purposes and were properly categorized can be purchased for only a few dollars. Such domains can allow a team to bypass reputation-based web filters and network egress restrictions for phishing and C2 related tasks.
Search for the categorized domains that can be used during the red teaming engagement. Perfect to set up the whitelisted domain for your Cobalt Strike beacon C&C.
Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for…
Let's have a look how this looks like in a real-life scenario.
This is actually a very cool-looking website!
Looks very new and legitimate!
Footer has no address, phone number, and about us section is not completed?
No social media as well?
Well, maybe a developer was in a hurry!
Random pictures in Gallery.
and hmm.. random office address?
Funny enough office location is not that far from MITRE!
Looks like nothing malicious right?
Anyway because I am always very curious let's dig here a bit more and investigate when and where the domain was registered.
Created on 2021–03–08 and registered on Gandi.
Now let's perform a few other checks and start with the categorization of this domain.
I am using Cisco Talos
and Zvelo as an example:
zvelo URL Content Classification, Malicious & Phishing Detection | OEM
This report plus video from zvelo's cybersecurity team details a step-by-step deconstruction of the Emotet malicious…
and we can see that burdine-health[.]com is categorized as Health and Medicine.
Again everything looks fine!
The next check is to a quick Shodan search in order to find out about the hosting webservers.
Looks like the website is hosted on 18.104.22.168 and it is behind Cloudflare!
Again everything looks fine!
But I haven’t finished yet and now is the subdomain time!
I am using Virus Total for a quick win — passive subdomain enumeration!
I am interested here only in the subdomains section and we can see this interesting one dev. burdine-health[.]com
So it looks like that dev.burdine-health.com is hosted on a different IP address which is 22.214.171.124
Let’s have a look!
Looks there is nothing to see here!
Let's check the server using Shodan
We can see two ports opened 80 and 443
Both ports 80 and 443 and responses HTTP/1.1 404 Not Found/content-type: text/plain and Content-Length:0, are actually very interesting and definitely should raise a red flag as this could be something!
HTTP 404 Not Found/Content-Type: text/plain and Content-Length:0 is actually a default Cobalt Strike Malleable profile
(important note and bear in mind that HTTP/1.1 404 Not Found/content-type: text/plain could be a false-positive as well!)
Now in order to verify if this is a Cobalt Strike or not, I used this Nmap to grab a beacon configuration.
and looks like we got something!
Well, that means that we have spotted Cobalt Strike/C2 hiding in a subdomain categorized as Health & Medicine, and a legitimate-looking website!
C2 Servers and beacons running on port 80 and 443
Blue Team tips when investigating suspicious websites/domains when dealing with Red Team/Threat Actors.
check the history.
check when and where the domain was registered.
check the social media (Twitter, Linkedin, Facebook).
check the webservers using beta Shodan (ports, history, certs, headers, responses)
check all subdomains.
Red Team Infrastructure
This wiki is intended to provide a resource for setting up a resilient Red Team infrastructure. It was made to…
Nmap beacon scan