Skip to content

Automating CloudFront C2 with AI – Reduce Errors & Save Time 

Posted by: Kevin Murphy

4 min read

A well-known red team tactic for blending Command-and-Control (C2) traffic in with legitimate network traffic involves utilizing Amazon Web Services (AWS) CloudFront redirectors to mask your C2 server’s true origin. Setting these up manually isn’t terribly complicated, but it’s definitely tedious, time-consuming, and prone to mistakes, especially when juggling other pre-engagement setup tasks. I knew these setup tasks could be automated, but developing a solution from scratch quickly was a challenge because of other project tasks competing for my time.

To combat time constraints, I decided to leverage Artificial Intelligence (AI). Using prompts to help generate the code, I broke down the process step-by-step and gradually built a Python script that now does all the CloudFront redirector setup work for me. What used to be a manual and time-consuming process can now be kicked off and completed with a single command. Let’s dive into how it’s done!

Refresher on CloudFront Redirectors

A CloudFront redirector is a way to mask the origin of your C2 server by using Amazon CloudFront as a reverse proxy. From an Operational Security (OPSEC) perspective, this mask has immense value – it blends C2 traffic with legitimate Content Delivery Network (CDN) traffic and hides the true origin of the C2 server. This network channel adds a level of detection and blocking complexity for defenders. As we conduct red team assessments at GuidePoint Security, our beacon C2 traffic continues to remain undetected when using CloudFront CDN redirectors.

A great reference that I’ve used for years on how to create this type of CloudFront C2 redirection for Cobalt Strike is an article by bigb0ss, “Red Team C2 Redirector – Cloud Fronting Setup.” 

This graphic, taken from the same blog post, depicts the traffic flow between a victim machine, the CloudFront redirector, and the C2 server.

A diagram of a cloud with arrows and wordsAI-generated content may be incorrect.

This type of C2 redirection is very effective, but very tedious to set up manually each time. You have to:

  • Spin up an Amazon Elastic Compute Cloud (EC2) instance and install Cobalt Strike
  • Configure Domain Name System (DNS) records for your domain
  • Obtain and install a valid Transport Layer Security (TLS) certificate
  • Create and configure a CloudFront distribution
  • Update your C2 profile with the correct domain and certificate info

Each step takes time and requires precise configuration; otherwise, the reverse proxy and C2 communication exchange fails, and you’re left troubleshooting. Automating this error-prone process wasn’t just a “nice to have,” it was a no-brainer.

Using AI to Automate the Process

The first step, provisioning the EC2 instance and installing Cobalt Strike, was already handled by an in-house tool. Once that was done, the Python script written with help from AI took care of the rest:

  • DNS A Record: Automatically configures the domain’s A record in Cloudflare to point to the EC2’s public IP.
  • TLS Certificate: Uses Certbot to obtain and configure a Let’s Encrypt certificate for the domain.
  • CloudFront Distribution: Creates a CloudFront distribution pointing to the domain, using the correct caching and forwarding settings to ensure proper end-to-end C2 traffic handling.
  • C2 Profile Update: Modifies a user-provided Cobalt Strike malleable C2 profile to reference the appropriate domain, certificate, and CloudFront configuration.

Every phase of the script was written with the help of AI: generating AWS Software Development Kit (SDK) calls, handling edge cases, troubleshooting Application Programming Interface (API) errors, and even cleaning up the logic.

Here are examples of prompts I used to help build out the script:

  • Figure out the current external IP address of the host where the script is run. Maybe the command `curl ifconfig.io` would do the trick.
  • Create a new DNS record using the Cloudflare API. The DNS name should be passed in as a parameter to the script. The Cloudflare API token should also be passed in as a parameter.
  • Use Certbot to request a TLS certificate for the DNS name that’s passed in as a parameter to the script. Generate a random password to be used in the Certbot cert request. The Certbot command would look something like this `certbot certonly –non-interactive –agree-tos –email [email protected] –standalone –preferred-challenges http -d <Your Domain>`. Require the user to pass in their own email address as a parameter.
  • Add a dependency check to make sure `keytool` and `certbot` are installed, and if not, install them with `apt`.

Lessons Learned

This project taught me a few useful things:

  • You don’t need to be a full-time developer to build useful tools, but you do need to exercise caution when using AI to generate code. 
  • AI makes it way easier to go from idea to working script, especially when you’re pressed for time.
  • Automating repeatable setup tasks is one of the best returns on effort for any red teamer.

The script now saves me time, reduces mistakes, and frees up bandwidth for the parts of an engagement that require creativity and human input.

Feel free to check out the tool and give it a spin!.

A Word of Caution

When writing code, especially for penetration testing, using public-facing AI tools can pose serious risks. These platforms may retain or learn from input data, potentially exposing sensitive tactics, techniques, or proprietary methods. To mitigate this risk, avoid entering real IP addresses, credentials, or client-specific information into public AIs. Instead, consider using a private or self-hosted AI solution that keeps your data isolated and secure. Always validate and vet AI-generated code in a controlled, offline environment before use. And most importantly, ensure all testing is authorized and conducted within legal and ethical boundaries.

Don’t Wait – Schedule Your Pen Test Now

Security testing is one of the best ways you can prepare your tools, teams, and playbooks before the next attack. Don’t wait until the end of the year to schedule with us. GuidePoint Security can help you evaluate your security with a red team assessment that delivers real-world results.

Beat the end-of-year rush! Contact us today and we’ll get started.

Categories: AI Security Blog Security Awareness & Education Vulnerability Management & Penetration Testing
Tags:cybersecurityPenetration Testingvulnerability

Kevin Murphy

Principal Security Consultant, Threat & Attack Simulation,
GuidePoint Security

Kevin Murphy is a Principal Security Consultant at GuidePoint Security that has over ten years of professional experience working in hands-on technical roles. Kevin is a well-rounded information security professional that possesses extensive blue team experience from working in the financial services and health care verticals, as well as substantial red team experience, which was obtained by conducting security assessments against enterprise organizations while working in the consulting space. His specialties include network, systems, and web application penetration testing, as well as red team engagements.

Kevin earned a Bachelor of Science in Computer Science from Union College, and a Master of Science in Information Security from Boston University. He also holds several certifications, including the Offensive Security Certified Expert (OSCE), the Offensive Security Certified Professional (OSCP), and the Certified Information Systems Security Professional (CISSP).

Related Articles

View All

  • Cloud Security
Goodbye Legacy MFA: Be Ready for the new Microsoft Authentication Methods Policy
Posted by: Adrian Pascual
Read More 3 min read
  • Blog
IAM in Practice: Where Identity Management Falls Short
Posted by: Laura Babbili
Read More < 1 min read
  • Blog
How to Ruin a PAM Rollout in 3 Easy Steps (And What to Do Instead)
Posted by: Matt Anderson
Read More 3 min read