search

Listeners

hashtag
Try deploy two types i.e. HTTPs and DNS incase one gets caught other beacon looks more discreet

jump via smb

make a redundant egress beacon - when using smb if you create a beacon half way

Make new outbound once further machiens are compromised using different domain

hashtag
DNS:

always ensure you have a high TTL (1hour +) on your domain - normal IOC if domain has low TTL

hashtag
dns_idle:

changes nslookup response from 0.0.0.0 to custom value

hashtag
dns_stager_subhost

removes .stage.12345 from the dns response and replaces it with the custom value

hashtag
HTTP:

hashtag
HTTPs:

Try not to use a letsencrypt cert

hashtag
SMB:

enumerate named pipes:

PreviousEncryptersNextMalleable Profiles

Last updated