Listeners

Try deploy two types i.e. HTTPs and DNS incase one gets caught other beacon looks more discreet

jump via smb

make a redundant egress beacon - when using smb if you create a beacon half way

Make new outbound once further machiens are compromised using different domain

DNS:

always ensure you have a high TTL (1hour +) on your domain - normal IOC if domain has low TTL

dns_idle:

changes nslookup response from 0.0.0.0 to custom value

dns_stager_subhost

removes .stage.12345 from the dns response and replaces it with the custom value

HTTP:

HTTPs:

Try not to use a letsencrypt cert

SMB:

enumerate named pipes:

[System.IO.Directory]::GetFiles("\\.\\pipe\\")
PreviousEncryptersNextMalleable Profiles

Last updated