0710 | Tradecraft Concerns

TRADECRAFT CONCERNS

Note: This section outlines various tradecraft considerations that should be made while operating in a live environment.

Do created artifact names and configurations blend in with the target environment (service names, descriptions, file names, etc.)?
Is the payload packed/obfuscated?
Was the payload created matching target system architecture, C2 type, and payload type?
Is the artifact uploaded to a non-descript location?

Do I have the correct "permission" to execute this persistence method (administrator versus user persistence methods)?
Once the persistence executes, is the payload process suspicious?
After persistence executes, is the implant call back interval too fast or too slow?
Should I log this persistence?

Purchase a VPS for C2 redirection.
SSL certs purchased and configured successfully on redirector.
Age redirector as long as possible.
Redirector content uploaded and "categorized".
ProxyPass or similar traffic pass thru technique configured to push implant traffic to team server.
Iptables configured to block unwanted traffic from redirector and Red Team attack machine.
Passwords changed on redirector, and any other Red Team owned machines.
SSH keys configured and password protected.

Is the correct privilege held to run this token manipulation method?
Is the "domain" section of the technique set correctly?
Is the hash or password still valid (it could be expired)?
Does the user belong to any concerning groups (HBSS admin, firewall admin, etc.)?
Is the user account enabled?
Has the user logged in recently?
Has the user authenticated from this machine before?
Is an active user credential required for this task?