README

red-teaming/malleable_redirector/README.md

@@ -1,5 +1,13 @@
 ## malleable-redirector - a proxy2 plugin
 
+**Let's raise the bar in C2 redirectors IR resiliency, shall we?**
+
+Red Teaming business has seen [several](https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/) [different](https://posts.specterops.io/automating-apache-mod-rewrite-and-cobalt-strike-malleable-c2-profiles-d45266ca642) [great](https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10) ideas on how to combat incident responders and misdirect them while offering resistant C2 redirectors network at the same time.  
+
+This piece of code tries to combine many of these great ideas into a one, lightweight utility, mimicking Apache2 in it's roots of being a simple HTTP(S) reverse-proxy. Combining Malleable C2 profiles understanding, knowledge of bad IP addresses pool and a flexibility of easily adding new inspection and misrouting logc - resulted in having a crafty repellent for IR evasion. 
+
+### Abstract
+
 This program acts as a HTTP/HTTPS reverse-proxy with several restrictions imposed upon which requests and from whom it should process, similarly to the .htaccess file in Apache2's mod_rewrite.
 
 `malleable_redirector` was created to resolve the problem of effective IR/AV/EDRs/Sandboxes evasion on the C2 redirector's backyard. It comes in a form of a plugin for other project of mine called [proxy2](https://github.com/mgeeky/proxy2), that is a lightweight forward & reverse HTTP/HTTPS proxy.
@@ -36,12 +44,14 @@ $ python3 proxy2.py -P 80/http -P 443/https -p plugins/malleable_redirector.py -
   [INFO] 19:21:45: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080]
   [INFO] 19:21:45: [RESPONSE] HTTP 200 OK, length: 5543
   [INFO] 19:21:46: [REQUEST] GET /
-  [ERROR] 19:21:46: [DROP, reason:1] inbound User-Agent differs from the one defined in C2 profile.
-  [INFO] 19:21:46: [RESPONSE] HTTP 301 Moved Permanently, length: 212
-  [INFO] 19:21:48: [REQUEST] GET /jquery-3.3.1.min.js
-  [INFO] 19:21:48: == Valid malleable http-get request inbound.
-  [INFO] 19:21:48: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080]
-	[...]
+  [...]
+  [ERROR] 19:24:46: [DROP, reason:1] inbound User-Agent differs from the one defined in C2 profile.
+  [...]
+  [INFO] 19:24:46: [RESPONSE] HTTP 301 Moved Permanently, length: 212
+  [INFO] 19:24:48: [REQUEST] GET /jquery-3.3.1.min.js
+  [INFO] 19:24:48: == Valid malleable http-get request inbound.
+  [INFO] 19:24:48: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080]
+  [...]
 ```
 
 The above output contains a line pointing out that there has been an unauthorized, not compliant with our C2 profile inbound request, which got dropped due to incompatible User-Agent string presented:
@@ -51,13 +61,14 @@ The above output contains a line pointing out that there has been an unauthorize
   [...]
 ```
 
-### Others
+### TODO:
 
-TODO:
-- Add some tracking logic of unique beacons to offer flexilibity of refusing staging and communication processes at the proxy's own discretion
-- Test it thoroughly with several enterprise-grade EDRs, Sandboxes and others to eliminate replay attack avenues
+- Add some unique beacons tracking logic to offer flexilibity of refusing staging and communication processes at the proxy's own discretion
+- Introduce day of time constraint when offering redirection capabilities
+- Keep track of metadata/ID payloads to better distinguish connecting peers and avoid replay attack consequences
+- Test it thoroughly with several enterprise-grade EDRs, Sandboxes and others 
 - Add Proxy authentication and authorization logic on CONNECT/relay.
-
+- Add Mobile users targeted redirection
 
 ### Author