OPSEC
Infrastructure
- Use generic name for DNS, avoid company names
- Use wildcard (*) when issuing certificates to avoid leaking internal name
- Disable staging endpoints or restrict the access
- Do not upload your stealthy binaries to VirusTotal or other online scanners
- Guardrails your payload to trigger for a specific user/domain/computer name
- Use a redirector, don't expose your C2 TLS stack to the web
Behavior
- Avoid calling commands such as
whoami- List your kerberos tickets
- Look for the owner of the process that spawned your beacon
- List your environment variables: dir env: and dir env:USERNAME
- Use a beacon object file (BOF) to bring your own whoami
- DCSync (Replication) is always done between domain controllers
- DCSync from machine accounts look more legit than with a user account
- You don’t need to dump the whole database, the account krbtgt will grant you every access you need.
IOC
Gophish:
- Default
RIDparameter: gophish/campaign.go#L130 - Default
X-Mailerheader containing theServerName: gophish/config.go#L46 - Default
X-Gophish-Contact: gophish/email_request.go#L123
Impacket:
- smbexec.py is using a service to execute commands. In the earliest version, it was named
BTOBTObut it has now 8 random characters. - psexec.py is based on a well known service released on January 2012: kavika13/RemComSvc
- wmiexec.py every command will be prefixed with
cmd.exe /Q/c : impacket/wmiexec.py#L127
NetExec:
- NetExec uses Impacket library, it shares the same IOC
-
Kerberoasting search filter query all accounts: NetExec/ldap.py#L931
AWS:
- AWS cli is using Boto3 library, it sends a User-Agent containing the operating system version in every requests
- Kali Linux OS is raising an alert: PenTest:IAMUser/KaliLinux