Multi-stage C&C and Red Teams
A few days ago I read this excellent analysis by TALOS team and apparently, the most interesting part from a technical perspective is the high-OPSEC multi-stage Command & Control infrastructure which is described by the following diagram from TALOS team’s post.
The idea is that only if the infected system is verified by the first stage C2, it will open a firewall hole on the real/second-stage C&C server to start the communication. On top of that, it using domain fronting to hide behind Cloudflare, a very popular technique.
So, why am I writing this post?
This post is for any red teamers reading this. Most mature red teams are using domain fronting to emulate advanced adversaries, and the notion of multi-stage C&C is not something new. See for example MITRE’s T1104 from the ATT&CK framework that explains a few known APT groups that use this method. However, how many times have you seen a red team actually employing this? I know it is a setup that increases complexity but if you are getting paid to simulate some advanced adversary, do it.
Please read TALOS team’s post and remember, if someone gives you money to simulate what a real APT would do, do it properly. :)
xorl %eax, %eax 
Leave a comment