C2 Infrastructure OPSEC for Red Team Operations

Q: Is Cobalt Strike still operationally viable in 2026?

Yes with significant tuning. Default Cobalt Strike has been fingerprinted aggressively, but a well-tuned profile with custom sleep masking, BOFs replacing fork-and-run patterns, and current loader practices remains effective.

Q: What is the minimum viable redirector stack?

At minimum one front-end nginx redirector on a reputable cloud provider, fronted by a CDN. Team server lives in a private network and never accepts public connections.

Q: Do you use domain fronting?

Classic CDN host-header fronting has been closed off. The successor is sub-resource camouflage: legitimate content and C2 endpoints on the same domain, redirector serving both.

Q: How do you handle a burned domain mid-operation?

Burned infrastructure is decommissioned immediately. Operations are designed with at least two unrelated channels at each stage so any single loss does not collapse the operation.

Q: What is the difference between red team OPSEC and penetration testing OPSEC?

Penetration tests are announced and scheduled. Red team operations test detection without prior defender knowledge of timing or technique. OPSEC bar is much higher.

Red team infrastructure determines how long an operation runs before the blue team identifies and contains it. We see engagements that should have lasted weeks burn down in 36 hours because the infrastructure exposed every stage of the kill chain at once. We also see infrastructure that survives mature SOC environments for the full engagement window. The difference is rarely the tooling. It is the discipline of how the infrastructure is built, the operational practices that surround it, and the boundaries the team accepts before any traffic ever leaves the team server.

This post is a practitioner walkthrough of the architecture decisions and operational practices that determine survivability. It assumes the reader already understands the fundamentals of command and control, beacon callbacks, and TLS termination. The intent is educational. Everything written here applies inside authorised red team engagements with signed rules of engagement.

Why Most Red Teams Get Burned in the First 48 Hours

The most common failure modes we observe when reviewing other teams infrastructure, or our own retrospectives, are not technically interesting. They are operational lapses. The same handful of mistakes shows up repeatedly:

Direct callbacks from implants to the team server, exposing the team server IP in every endpoint EDR telemetry record.
Default C2 profiles untuned, with default User-Agent strings and URI patterns that vendor IOC feeds detect on day one.
JA3 and JA3S fingerprints that match a Go-based malleable C2 framework before the first request is parsed.
Aggressive callback intervals during initial recon that flood the EDR anomaly thresholds.
Same domain serving both staging and command channels, collapsing the redirection plane.
SSL certificates with metadata that ties the domain back to a known operator alias or a reused contact email.
Public DNS history that shows the domain pointing to known bad infrastructure days before the engagement began.

Each of these is fixable in advance. None require new tooling. They require provisioning the infrastructure with the discipline an actual adversary class would apply, then sustaining that discipline through the engagement. Most teams understand the discipline in principle and abandon it as soon as the operation gets busy.

Layered Redirector Architecture

Direct C2 callbacks are indefensible. A defensible architecture places at least two layers of redirectors between the implant and the team server, and ideally one of those layers is a high-reputation CDN or commercial reverse proxy.

Implant
   |
   v
[CDN / reputable reverse proxy]   (high-reputation domain, TLS termination)
   |
   v
[Short-haul redirector]           (cloud VPS, distinct provider, filters by profile)
   |
   v
[Long-haul redirector]            (different provider, different geo, second filter layer)
   |
   v
[Team server]                     (never directly exposed, no public listeners)

The principle behind the layering is blast-radius containment. If any one component is identified, only that component burns; the rest of the chain continues to function. The team server in particular should never accept connections from the public internet. It accepts traffic only from the long-haul redirector address, ideally over a private VPC peering connection or an authenticated overlay network.

Front-end CDN and reverse-proxy choices

The front-end layer should serve unrelated benign traffic on the same domain. A domain that serves only C2 traffic is detectable through traffic volume analysis and is suspicious by default to certificate transparency analysts. We commonly use Cloudflare-fronted infrastructure with a real benign service hosted on the same domain (a static blog, a documentation site, a small product page), and the C2 endpoints living under a path that looks similar to legitimate static asset or API routes.

Domain fronting in the classic CDN host-header sense has been operationally limited since 2018 across the major CDNs. The successor pattern is sub-resource separation: C2 traffic is indistinguishable from the legitimate sub-paths the same domain serves, because the redirector explicitly serves both. The defender sees a normal-looking domain hosting a normal-looking site, with a small fraction of requests routing to an internal back end.

Sample nginx redirector configuration

A high-level example of an nginx redirector that proxies authenticated C2 paths to the next layer while serving a real-looking 200 OK to anyone hitting other paths. This is educational shape, not a recipe to abuse production environments without authorisation:

server {
    listen 443 ssl http2;
    server_name updates.example.com;
    ssl_certificate     /etc/letsencrypt/live/updates.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/updates.example.com/privkey.pem;

    root  /var/www/legit-content;
    index index.html;

    location ~ ^/cdn/updates/[a-f0-9]{8}/v[0-9]+$ {
        if ($http_user_agent !~* "Mozilla/5.0") { return 404; }
        if ($http_x_session_token = "") { return 404; }
        proxy_pass         https://short-haul-redirector.internal;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_ssl_verify   on;
    }

    location / { try_files $uri $uri/ /index.html; }

    if ($http_user_agent ~* "(nmap|masscan|nuclei|zgrab|censys|gobuster|dirbuster)") { return 444; }
}

Key choices reflected in the configuration: the C2 location requires both URI shape match and a header signature. Traffic that does not present both is served the legitimate content rather than routed to the next layer. The team server IP appears nowhere in this configuration or its TLS chain. Logs are minimal but enough to debug operations. The redirector terminates TLS, which means it controls the JA3S response presented to the client.

Apache and HAProxy alternatives

The same pattern is achievable in Apache with mod_rewrite conditions and mod_proxy, and in HAProxy with frontend ACLs that match URI plus header before backend dispatch. The choice of redirector software matters less than the discipline of requiring multiple matching signals before forwarding any request.

Infrastructure Categorisation and Domain Aging

Different stages of an operation should use different infrastructure with different reputation profiles. Mixing stages on the same infrastructure means that if any single stage is identified, the rest of the operation collapses with it.

Phishing or initial access: short-lived domains, aged a minimum of two weeks, ideally repurposed from legitimate prior use. Burned aggressively after the campaign window closes.
Stage 0 staging (initial payload delivery): a distinct domain set, never reused for phishing or for ongoing C2. Generally CDN-fronted with realistic file delivery patterns.
Stage 1 C2 (foothold beacon): a different domain set again, longer sleep intervals, broader malleable profile distribution.
Stage 2 long-haul (post-exploitation): the highest-trust infrastructure, oldest domains, lowest beacon frequency, often a separate framework from stage 1 to avoid a single-toolchain compromise.

Domain aging matters because reputation systems weight age heavily. A domain registered six hours before first use is treated very differently from a domain registered six months before first use and lightly used during the intervening period. Procurement should be planned weeks ahead of the engagement. Buying expired domains with prior legitimate use is a common practice. Registrar choice also matters: well-known registrars produce lower scrutiny than registrar combinations that historically appear in commodity malware reports.

Malleable C2 Profiles

Malleable C2 profiles shape the network traffic between the implant and the redirector. They are the difference between traffic that looks like normal HTTPS browsing and traffic that looks like a default-configured offensive framework.

HTTP shape and header hygiene

User-Agent. Match a current build of a browser that the target organisation actually uses. Out-of-date browser strings, headless browser identifiers, and language SDK defaults (such as Go default Go-http-client) are dead on arrival.
Accept and Accept-Encoding. Match the browser pattern. Beacons that send Accept: */* with no Accept-Encoding stand out under flow review.
URI patterns. Realistic paths and parameters. A profile that requests /admin.aspx?wparam=... in 2026 is a beacon to anyone reviewing proxy logs.
Response body framing. Tasks and output should arrive inside realistic-looking server responses. Embedded inside fake JSON metric reports, fake static asset payloads, or fake API responses matching the kind of API the surrounding domain would generate.
Timing patterns. Profile metadata controlling timing, jitter, and sleep should not produce traffic patterns that flow analysis flags as beaconing.

JA3 and JA3S TLS fingerprinting

JA3 (client TLS handshake) and JA3S (server response handshake) fingerprints are computed from fields in the TLS handshake. Out-of-the-box implants typically present JA3 fingerprints that match the underlying TLS library (Go crypto/tls, .NET SslStream, Python requests). Public fingerprint databases identify these as malware infrastructure indicators within days of first observation.

Mitigation requires either compiling implants against libraries that produce browser-like JA3 (such as utls for Go-based implants) or terminating TLS at a layer that presents a browser-like JA3 chain to the network. Teams that do this well rebuild the TLS stack to match a current Chrome or Firefox fingerprint matching their User-Agent. Teams that do this badly produce a Chrome User-Agent paired with a Go-default JA3, which is a louder indicator than either default alone.

JA3S on the server side is equally important. A redirector running default nginx with default OpenSSL settings presents a JA3S that pairs cleanly with browser JA3 clients. A redirector running an exotic TLS proxy with mismatched ciphers presents a JA3S that pairs with nothing legitimate in the target traffic.

Profile mistakes still common in commercial engagements

Reusing the same profile across multiple engagements. Vendor IOC feeds will catch this within weeks.
Mixing profile elements (a URI shape from profile A with a header set from profile B), creating a hybrid signature that matches nothing real.
Forgetting to update the profile when the underlying tool ships a new version that changes any default.
Putting operator handles, dates, or internal codenames in custom indicator fields that ship to the target.
Failing to test the profile against current threat intel feeds before deployment. A two-minute check against a public fingerprint database often catches reused indicators before they reach the operation.

Beacon Sleep and Jitter Trade-offs

Beacon callback intervals are the most consistently underweighted operational decision. Short intervals produce dense periodic traffic that anomaly detection identifies. Long intervals slow the operation. The trade-off depends on the engagement phase and the maturity of the defender detection stack.

Initial recon (first 24 to 72 hours): moderate sleep, often 60 to 180 seconds, with high jitter (40 to 60 percent). Just enough responsiveness to validate the foothold without flooding network anomaly detection.
Lateral movement phase: shorter intervals during active operator sessions, longer during idle periods. Working-hours profiles match the target organisation business hours. Working-hours alignment is consistently underused. Beacons that call back during target business hours blend with legitimate traffic. Beacons that call back at three in the morning local time during off-hours generate per-host telemetry no legitimate process produces.
Long-haul persistence: sleep intervals measured in minutes to hours, with very high jitter. The beacon is a heartbeat, not a working channel.

A defender detection model matters here. A SOC running flow analytics with anomaly thresholds tuned for periodic traffic catches even high-jitter short beacons within hours. A SOC running only signature-based network detection often misses tuned beacons for the entire engagement window. The team should know which it is testing against and tune accordingly.

In-Memory and Loader OPSEC

AMSI considerations

The Anti-Malware Scan Interface intercepts script content before execution by AMSI-aware tools. Mature loaders avoid AMSI by avoiding the execution paths it instruments, rather than by patching it. Patching AMSI is increasingly detected by behavioural EDR rules; the modern operational consensus is to use compiled stage 1 implants rather than PowerShell or VBA where possible.

ETW considerations

Event Tracing for Windows is the telemetry pipeline EDR products consume. Disabling ETW providers is loud. Unhooking ETW selectively in the implant process is quieter but increasingly detected. The current operational consensus among practitioners we collaborate with is to avoid generating the telemetry rather than suppress it: design the implant so the syscalls it makes do not trip the ETW providers EDR products subscribe to.

Sleep masking

Beacon processes spend most of their lifetime sleeping. During sleep, the beacon executable memory, configuration, and any in-memory secrets are scannable by memory introspection. Sleep-masking techniques (Ekko, Foliage, and successors) encrypt the beacon memory during sleep and decrypt before the next callback. The cost is additional code complexity; the benefit is significantly fewer in-memory detection signatures during the longest-exposed window.

EDR, IDS, and Network Detection Considerations

Defensive perspective matters because building infrastructure that survives requires knowing what the opposite team is looking for. The detection signals modern blue teams actually use:

EDR memory introspection. CrowdStrike, SentinelOne, and Defender for Endpoint scan process memory for known beacon patterns. A clean memory profile during sleep is critical.
EDR behavioural detection. Process tree anomalies (a signed Microsoft binary spawning cmd.exe with base64-encoded PowerShell) are default detection rules in every modern EDR. Unusual parent-child relationships are flagged regardless of the implant network signature.
Network anomaly detection. Periodic small POST or GET requests with consistent body sizes are textbook beaconing patterns. Even encrypted payloads have detectable timing and size envelopes that flow analysis can characterise.
JA3 and JA3S fingerprint matching. Network security tools fingerprint TLS handshakes against known-bad databases. Default tool fingerprints are tagged within days of first observation.
SSL certificate analysis. Certificate transparency logs are queryable in real time. Certificates issued to suspicious infrastructure are surfaced to threat intel feeds and shared between providers.
Domain registration patterns. Bulk-registered domains, recently registered domains used for outbound traffic, and domains lacking website content all carry low reputation scores.
Outbound destination IP reputation. Egress to known cloud provider IP ranges hosting recent abuse reports is flagged by enterprise web proxies.

Effective red team infrastructure makes every one of those signals look ordinary. That is the bar.

Operational Logging and Takedown Risk

Infrastructure decisions extend beyond what the defender sees. The team own logging practices, hosting provider relationships, and the legal footprint of the operation all affect survivability.

Operator-side logging. Every operator action should be recorded with timestamp, source IP, and intent. If an investigation follows the engagement (legal request, customer query, incident response review), this log is what answers "was that activity ours". Operator logs should live separately from the team server itself and ideally outside the redirector chain.
Hosting provider takedown risk. Cloud providers respond to abuse reports faster than they used to. Infrastructure should be provisioned on the assumption that any one VPS can be terminated within hours of an abuse report. Critical components require redundancy and quick redeployment automation. Some providers (notably the major hyperscalers) treat red team infrastructure as policy violations regardless of authorisation; choosing providers whose acceptable use policies tolerate authorised security testing matters at scale.
Domain WHOIS and registrar policy. Domain providers also respond to abuse reports. Privacy-protected WHOIS is standard, but it does not prevent registrar action.
Engagement evidence retention. Captured screenshots, credentials, beacon output, and report drafts are sensitive engagement data. Storage in an engagement-specific vault with encryption at rest is the floor. Many engagements include explicit data-handling clauses that constrain how long the engagement data is retained and where it can be processed.

Red Team Engagement Safety Boundaries

Beyond OPSEC, red team operations have safety obligations to the customer environment and to third parties. The boundaries that responsible teams adopt include:

Written rules of engagement signed by an authorised executive sponsor before any action begins.
Explicit in-scope and out-of-scope identification of assets, identities, networks, and (where physical access is in scope) sites and individuals.
A named emergency contact reachable by the team during testing hours, with an out-of-hours escalation path.
Pre-agreed criteria for actions that require pause-and-confirm: high-impact exploitation, actions that touch production data, social engineering against unconsented individuals, anything affecting third-party services.
Prohibition on actions outside the agreed scope, even if a path opens that would clearly succeed. The engagement value comes from testing the agreed surface, not from operator improvisation.
Immediate notification of any finding that constitutes a real-time risk (active malware in customer environment, exposed customer data, active third-party intrusion). The team is in the environment first; responsibility comes with that position.
Engagement data destruction at the end of the engagement, except where retention is required for the agreed re-test or for legal record-keeping under the contract.

Teams that treat these as optional do not last long in the industry. Customer trust and the ability to operate at scale depend on visible discipline.

MITRE ATT&CK Mapping

T1090.004 Proxy: Domain Fronting (legacy) and modern multi-hop redirector chains.
T1071.001 Application Layer Protocol: Web Protocols (HTTP and HTTPS C2).
T1573.002 Encrypted Channel: Asymmetric Cryptography (TLS).
T1027 Obfuscated Files or Information (malleable profile shaping, sleep masking).
T1218 System Binary Proxy Execution (loader patterns).
T1055 Process Injection (stage 1 beacon hosting).
T1562.001 Impair Defenses: Disable or Modify Tools (AMSI and ETW patching when used).
T1568 Dynamic Resolution (where the C2 channel uses domain generation or fast-flux patterns).

Defender Takeaways

For defenders reading this from the other side of the engagement, the operational practices that catch the largest fraction of intermediate-skill red team operations are:

JA3 and JA3S fingerprint detection against current public fingerprint databases, refreshed weekly.
Certificate transparency monitoring for any newly issued certificate that mentions internal brand strings or contains common phishing keyword variations.
Egress flow analysis tuned for periodic small request patterns, regardless of payload encryption.
Process tree analytics that flag signed-binary parents spawning script interpreters with encoded arguments.
EDR memory scanning that searches for known beacon configuration patterns and known fork-and-run telltales.
Domain reputation enrichment on every outbound destination, with explicit treatment of "domain registered within last 90 days" as elevated risk.

None of these are exotic. All of them are widely available in commercial EDR and SIEM products. The gap is not capability; it is tuning and review cadence.

Operational Discipline During an Engagement

Never browse to operator infrastructure from a personal browser or a residential IP.
Operate from a dedicated operator VM that is reset between engagements.
SSH into team servers only through the operator VM and over an authenticated overlay network, never from public residential connections.
When a domain or redirector is identified, burn it immediately. Continuing to use known-bad infrastructure trains the defender on the next infrastructure pattern.
Avoid a single-framework monoculture across all stages. A defender who fingerprints one framework fingerprints the whole operation if everything runs on the same toolchain.

Frequently Asked Questions

How long does it take to provision proper C2 infrastructure?

Domain aging is the long pole. Domains should be registered and lightly used (real-looking site hosted, occasional human-like traffic) at least two to four weeks before the operation begins. Redirector and team server provisioning takes one to two days once the architecture template is established. Most of the time investment is in malleable profile and TLS fingerprint customisation.

Is Cobalt Strike still operationally viable in 2026?

Yes, with significant tuning. Default-configured Cobalt Strike has been fingerprinted aggressively for years. A well-tuned profile with custom sleep masking, BOFs replacing fork-and-run patterns, and current loader practices remains effective against most environments. The framework is one of several practitioners use; Sliver, Mythic, and custom frameworks are equally common.

What is the minimum viable redirector stack for a small engagement?

At minimum, one front-end nginx redirector on a reputable cloud provider, fronted by a CDN for any externally facing channel. The team server lives in a private network and never accepts public connections. For larger engagements, add a second redirector layer and segregate stage 0, stage 1, and stage 2 infrastructure.

Do you use domain fronting in current operations?

Classic CDN host-header fronting has been largely closed off by the major CDN providers. The successor approach is sub-resource camouflage: hosting both legitimate content and C2 endpoints on the same domain, where the redirector serves both. This requires more setup but achieves the same network-flow indistinguishability.

How do you handle a burned domain mid-operation?

Burned infrastructure is decommissioned immediately. Continuing to use known-bad infrastructure costs more than the inconvenience of switching. Operations should be designed so that loss of any one piece of infrastructure does not collapse the operation, which means at least two unrelated channels at every stage.

What is the difference between red team OPSEC and penetration testing OPSEC?

Penetration testing operations are generally announced to defenders and run on a defined schedule. Red team operations specifically test detection and response without the defender prior knowledge of timing or technique. The OPSEC requirements are therefore much higher: the goal is not just to test controls but to test them under conditions that approximate a real adversary discipline. Infrastructure that would be acceptable for a pentest is not acceptable for red team work.

C2 Infrastructure OPSEC: Building a Resilient Command and Control Setup