malasse
commented
3 years ago Thanks for awesome post Jeff, very easy to follow. I have a few questions however. In your post, you are simulating http requests to bing.com and if you look at the traffic using Wireshark, yes it looks legit. But there is a problem with the SSL cert which is self signed (and there is no way to use a valid SSL cert since you don't own bing.com). Wouldn't that cause problems for a real red team engagement?
Also suppose you have 3 x redirectors (reverse proxies), at www.domain1.net, www.domain2.net, www.domain3.net, each having a valid SSL cert. How would you configure your infrastructure so that the fake www.bing.com traffic doesn't look suspicious? In this case, your host header is set to "www.bing.com", but the traffic goes to www.domainx.net. That would probably trigger alerts right away.
Thanks.
Comments on How to Write Malleable C2 Profiles for Cobalt Strike