Seatbelt
Seatbelt is a C# tool which automatically collects enumeration data for a host. It can check for security configurations such as OS info, AV, AppLocker, LAPS, PowerShell logging, audit policies, .NET versions, firewall rules, and more.
\
One thing to note from this output is that there's a web proxy in place - squid.dev.cyberbotic.io
. This has implications for HTTP(S) C2 for a variety of reasons.
\
Web Categorisation
Domain names are categorised by vendors so that they can be lumped together for filtering purposes. This is useful so that everything categorised as "gambling", "drugs", "violence", or "social media", etc can be blocked outright. If the domain being used for part of your engagement ends up in a blocked category, it becomes effectively useless.
Two strategies for tackling this issue include:
Obtaining a domain that is already in a desirable category.
Requesting a change of category for a domain.
\
Several websites exist (e.g. from Bluecoat) that facilitate this, and tools such as Chameleon can help automate the process.
\
HTTPS Offloading
Some organisations (particularly those with an internal PKI) will perform SSL offloading on HTTPS web traffic. This allows the proxy to decrypt incoming HTTPS traffic and inspect the plaintext HTTP. The traffic is then re-encrypted with an internally trusted private key before being forwarded to the client.
This means that even your HTTPS C2 traffic can be inspected. Some C2 tools (such as Covenant) allow you to configure certificate pinning on the implants which would effectively prevent this from taking place, but at the potential cost of the proxy blocking the traffic entirely.
\
Content Filtering & AV Scanning
This may go without saying - but if a web proxy has the ability to read and inspect HTTP(S) traffic, then it can also scan for known malicious content. However, this does come with a performance penalty. Another common feature is to block the download and/or upload of particular file types, such as .exe, .dll, .ps1, etc, which may impact your ability to deliver payloads.
\
Authentication
Many organisations will also require a form of authentication before a client is allowed use a proxy. This could be anything from basic auth with a local database, Radius or Active Directory integration. AD integration is a very common and popular choice as it provides single sign-on via NTLM, Kerberos and LDAP(S).
This often means that a principal has to be in a "trusted" domain group before they can use the proxy, such Domain Users or a custom group entirely. This does often exclude computer accounts, which means HTTP(S) Beacons running as local SYSTEM accounts cannot work.
Last updated