Red Team C2 Infrastructure built in AWS using Ansible!
Creates two Cobalt Strike C2 servers (DNS and HTTPS), with redirectors, and RedELK in Amazon AWS. Minimal setup required! Companion Blog here
This build does NOT use free-tier eligible servers. Approximate costs can vary. During testing, we used six ec2 instances that cost around $70/month total.
I spent a ton of time ensuring that as many questions as I could think of were answered. If I missed something, please feel free to reach out. This tool may be maintained periodically, but it's mainly used as a stepping stone for further development.
Name the folders below labeled "web-redir1.org", "web-redir2.com" to whatever the domain name is for that web redirector. This will ensure that the correct Joomla install lands on the right EC2 server! For Example:
If you created a decoy joomla site "definitely-legit-company.com" and wanted to use it as a web redirector, ensure it's in the 'domains' variable, and name a folder in the
files/directory 'definitely-legit-company.com' with
joomla.zipin that folder that correspond to that site. Details on how to do that are below.
/opt/redcommander/files │ C2concealer.zip │ cobaltstrike.zip │ cs2modrewrite.py │ RedELK.zip │ redirect.rules │ ├───web-redir1.org │ dump.sql │ joomla.zip │ ├───web-redir2.com │ dump.sql │ joomla.zip │ └───custom ├───DNS │ evasive.profile │ keystore.store │ └───HTTPS evasive.profile keystore.store
All files have to be named EXACTLY as shown above in the folders shown. The exception is naming the folder for the web redirect domains. * Add your own cobaltstrike.zip file if you like. Don't include your MalleableC2 profile in that ZIP, though. * If you don't include a Keystore, one will be created for you using the LetsEncrypt certificate generated for the C2 domain. * If you don't include a MalleableC2 profile, one will be generated for you. This happens at every run, so it's likely a good idea to copy the generated keystore/profile to the above directories after first run, or just build your own. * To dump the MySQL database of your Joomla site, use
mysqldump -u root -p -d cs_joomla >> dump.sqlThen, execute
cd /var/www/html; zip -r joomla.zip *to get your Joomla install zipped properly. Don't worry, the play will add the correct configuration settings (by default, mysql password, user and session type modifiers) * You can add a custom Cobalt Strike MalleableC2 and/or Keystore per C2 to
files/custom/HTTPSrespectively. * Add RedELK.zip to files/.
The only REQUIRED pre-requisite that's not included in the variables file is to add your campaign domains to CloudFlare. The simple steps for that are:
Important! Please be kind to CloudFlare. Send an email to [email protected] stating your AUTHORIZED intentions.
All variables except the Vault key are covered in
vars/main.yml. Please reference that file for descriptions of each variable. USE ANSIBLE VAULT FOR SENSITIVE DATA!
ansible-vault encrypt_string --vault-password-file /path/to/password/file --name 'aws_secret_key'
We usually run this directly from the control node, though I'm in the process of importing this to AWX.
Important! Ensure that your variables are correct before running the playbook!
ansible-playbook playbook.yml --ask-vault-pass
I created a janky output.yml play that will spit out IP/Hostname correlations in debug. It's not pretty, but I left it in case you don't have access to AWS EC2 web gui.
There's also a nuke playbook for destroying your infrastructure. It's run the same way:
ansible-playbook nuke.yml --ask-vault-pass
Run that at your own risk.
Check 👏 Your 👏 Profile
Ensure that all variables were correctly added. Check
/var/log/redelklogs for errors in the RedELK server. Otherwise check the RedELK Wiki. Oh, and make sure you have a live beacon. Otherwise you likely won't have any data! :)
Where? Try running it again with -vvv. Generally the Python Traceback will tell you whats wrong.
Alex Williams, OSCP, GXPN
(In no particular order)