Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- When can you violate a rule
- C2 Multi-tier Design
| Short Haul (Tier 2) ● Used as a backup to reestablish interactive sessions. ● Use covert communications that blend in with the target. ● Slow callback times. Callback times in the 12–24 hr. range are common. Long Haul (Tier 1) ● Used to reestablish short haul C2 ● Slow callback times. Callback times of 24+ hours (often a few days) are common. C2 Infrastructure Rules ● C2 servers do not directly communicate with targets ● Targets and C servers communicate through a redirector ● Tiers should be used for their intended purposes Tier 1 – Low and slow, intended for long-term persistence Tier 2 – Mid-speed communications, designed to reestablish interactive C2 Tier 3 – An Interactive tier designed to perform everyday commands near real time or as operationally required New C must remain at the same tier or lower (never higher): Tier 1 – Tier or Tier Tier 2 – Tier 2 or Tier Tier 3 – Tier 3 When can you violate a rule? The only time C is passed is when C is initially established. An Interactive tier maybe used to establish higher levels of access but is highly discouraged. There is a risk of exposing higher tiers. Caution must be used when setting up initial access. This diagram can help illustrate the tiers and the relationships of how to share information between each. C2 Multi-tier Design Designing a C infrastructure is one of the most critical tasks when planning a Red Team engagement. C2 infrastructure planning involves choosing the number and type of C servers, whether to use IP addresses or domain names, the C protocols, and how or if to use redirectors. The decision of each is directly related to a Red Team’s goals. If a team is engaging a target in a full-scale Red Team operation, stealth and covert channels will be good choices. Typical C Design fora Full-Scale Red Team Operation ● Three C servers with an Interactive tier, Short Haul server, and Long Haul server ● Multiple redirectors ● One or two carefully chosen domain names for each IP address (preferably with history and categorization) ● Direct communication between the target and C does not occur. All traffic pivots through a redirection server ● The use of common protocols on standard ports to blend (HTTP, HTTPS, SSH, DNS) ● Communications are encrypted If a team is emulating a specific threat or trying to stimulate a Blue Team’s response, stealth may not be as important. Typical C Design for Emulating a Threat Designed to Stimulate Blue (Exercises) One or two C servers. All tiers are used for interaction with the target ● Redirectors are not in use ● IP addresses are used instead of domain names ● The target and C directly communicate ● The use of common protocols on standard or nonstandard ports (HTTP, HTTPS) ● Communications mayor may not be encrypted Download 4.62 Mb. Share with your friends:
|