[RedTeam] C2 Redirector — Cloud Fronting Setup (AWS)

5 min readFeb 9, 2021


What is Cloud Fronting?

AWS CloudFront is another way to hide your C2 server IP. Once configured, the traffic can be blended in CDN traffic, and it will connect back to the domain that we configure with AWS CloudFront. It also support HTTPS so it can be utilized in the encrypted traffic (unless the target organization has a HTTPS inspection in place).

Infrastructure Setup

1) Cobalt Strike Server Setup (Cloud VM)

First, you need to create a server for your Cobalt Strike server. For this demo, I have created an AWS EC2 that is configured to use external (public) IP.

$  uname -a
Linux ip-xx 5.4.0-1029-aws #30-Ubuntu SMP Tue Oct 20 10:06:38 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ curl ipconfig.io
3.21.xx.xx <-- AWS EC2 Public IP

And install Cobalt Strike on that EC2 host using the instruction here.

Note: You will need a valid license or request a free-trial license to download the Cobalt Strike.

Download Cobalt Strike
Installation Guide for Cobalt Strike

2) Attacker’s Domain Setup

Purchasing a Domain

We also need to a domain to use. I will use a new domain that I purchased a while back.

Domain DNS Setup

Configure the DNS “A” record to point to the AWS EC2 host that we created earlier.

DNS A Record Configuration
  • Check the DNS record:
$  nslookup microsoft-securityteam.com
Non-authoritative answer:
Name: microsoft-securityteam.com

OSWE | OSCE | OSCP | CREST | Lead Offensive Security Engineer — All about Penetration Test, Red Team, Cloud Security, Web Application Security