diff --git a/red-teaming/malleable_redirector/README.md b/red-teaming/malleable_redirector/README.md index 4dc7cd8..cbf376a 100644 --- a/red-teaming/malleable_redirector/README.md +++ b/red-teaming/malleable_redirector/README.md @@ -1,5 +1,13 @@ ## malleable-redirector - a proxy2 plugin +**Let's raise the bar in C2 redirectors IR resiliency, shall we?** + +Red Teaming business has seen [several](https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/) [different](https://posts.specterops.io/automating-apache-mod-rewrite-and-cobalt-strike-malleable-c2-profiles-d45266ca642) [great](https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10) ideas on how to combat incident responders and misdirect them while offering resistant C2 redirectors network at the same time. + +This piece of code tries to combine many of these great ideas into a one, lightweight utility, mimicking Apache2 in it's roots of being a simple HTTP(S) reverse-proxy. Combining Malleable C2 profiles understanding, knowledge of bad IP addresses pool and a flexibility of easily adding new inspection and misrouting logc - resulted in having a crafty repellent for IR evasion. + +### Abstract + This program acts as a HTTP/HTTPS reverse-proxy with several restrictions imposed upon which requests and from whom it should process, similarly to the .htaccess file in Apache2's mod_rewrite. `malleable_redirector` was created to resolve the problem of effective IR/AV/EDRs/Sandboxes evasion on the C2 redirector's backyard. It comes in a form of a plugin for other project of mine called [proxy2](https://github.com/mgeeky/proxy2), that is a lightweight forward & reverse HTTP/HTTPS proxy. @@ -36,12 +44,14 @@ $ python3 proxy2.py -P 80/http -P 443/https -p plugins/malleable_redirector.py - [INFO] 19:21:45: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080] [INFO] 19:21:45: [RESPONSE] HTTP 200 OK, length: 5543 [INFO] 19:21:46: [REQUEST] GET / - [ERROR] 19:21:46: [DROP, reason:1] inbound User-Agent differs from the one defined in C2 profile. - [INFO] 19:21:46: [RESPONSE] HTTP 301 Moved Permanently, length: 212 - [INFO] 19:21:48: [REQUEST] GET /jquery-3.3.1.min.js - [INFO] 19:21:48: == Valid malleable http-get request inbound. - [INFO] 19:21:48: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080] - [...] + [...] + [ERROR] 19:24:46: [DROP, reason:1] inbound User-Agent differs from the one defined in C2 profile. + [...] + [INFO] 19:24:46: [RESPONSE] HTTP 301 Moved Permanently, length: 212 + [INFO] 19:24:48: [REQUEST] GET /jquery-3.3.1.min.js + [INFO] 19:24:48: == Valid malleable http-get request inbound. + [INFO] 19:24:48: Plugin redirected request from [code.jquery.com] to [1.2.3.4:8080] + [...] ``` The above output contains a line pointing out that there has been an unauthorized, not compliant with our C2 profile inbound request, which got dropped due to incompatible User-Agent string presented: @@ -51,13 +61,14 @@ The above output contains a line pointing out that there has been an unauthorize [...] ``` -### Others +### TODO: -TODO: -- Add some tracking logic of unique beacons to offer flexilibity of refusing staging and communication processes at the proxy's own discretion -- Test it thoroughly with several enterprise-grade EDRs, Sandboxes and others to eliminate replay attack avenues +- Add some unique beacons tracking logic to offer flexilibity of refusing staging and communication processes at the proxy's own discretion +- Introduce day of time constraint when offering redirection capabilities +- Keep track of metadata/ID payloads to better distinguish connecting peers and avoid replay attack consequences +- Test it thoroughly with several enterprise-grade EDRs, Sandboxes and others - Add Proxy authentication and authorization logic on CONNECT/relay. - +- Add Mobile users targeted redirection ### Author