[RedTeam] C2 Redirector — Cloud Fronting Setup (AWS)

bigb0ss
5 min readFeb 9, 2021

Intro

What is Cloud Fronting?

AWS CloudFront is another way to hide your C2 server IP. Once configured, the traffic can be blended in CDN traffic, and it will connect back to the domain that we configure with AWS CloudFront. It also support HTTPS so it can be utilized in the encrypted traffic (unless the target organization has a HTTPS inspection in place).

Infrastructure Setup

1) Cobalt Strike Server Setup (Cloud VM)

First, you need to create a server for your Cobalt Strike server. For this demo, I have created an AWS EC2 that is configured to use external (public) IP.

$  uname -a
Linux ip-xx 5.4.0-1029-aws #30-Ubuntu SMP Tue Oct 20 10:06:38 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ curl ipconfig.io
3.21.xx.xx <-- AWS EC2 Public IP

And install Cobalt Strike on that EC2 host using the instruction here.

Note: You will need a valid license or request a free-trial license to download the Cobalt Strike.

--

--

bigb0ss

OSWE | OSCE | OSCP | CREST | Principal Offensive Security Engineer — All about Penetration Test, Red Team, Cloud Security, Web Application Security