FEB 10
BY ROBERT CAO
ROWDY RODDY RED TEAM INFRASTRUCTURE
Learning Objectives
Overall goal of this is to hand you a playbook on how to complete the administrative and technical logistics for a red team engagement.
Step 0 - Define the Scope & Objectives
This comes in the form of kick off calls, scoping meetings, or rules of engagement meetings. My recommendation is even if you do this internally, treat yourself as a client. Give your client and/or yourself all the documentation necessary. The things we need to define are:
Engagement Duration: Weeks/months?
Primary Goals: Testing enterprise security controls (lateral movement, exfiltration, etc.)? Testing your SOC SOPs?
Detection Risk: Is blue team active or passive?
Get Out of Jail Free Card: Who is the resource that will vouch for your activities should you be caught and/or get in trouble?
Lateral Limits: What is off limits if anything?
Step 1 - Leverage Threat Intel For Adversary Emulation
Defining Threat Intelligence
Threat intelligence is the process of collecting, analyzing, and applying information about adversaries to improve security defenses. For red teams, it serves as the foundation for adversary emulation, allowing operators to replicate real-world attack techniques accurately. Unlike generic penetration testing, adversary emulation focuses on mimicking specific threat actors based on intelligence data, making it a crucial component of a realistic red team assessment.
Commercial Cyber Threat Intelligence (CTI) Products:
https://letmegooglethat.com/?q=popular+commercial+threat+intelligence+tools+
Understanding Tactics, Techniques, and Procedures (aka TTPs)
TTPs describe how threat actors operate, providing a structured way to understand adversarial behavior. Red teams use TTPs to model realistic attack scenarios rather than relying on generic pen testing techniques.
Tactics – The why behind an attack (e.g., Initial Access, Privilege Escalation, etc).
Techniques – How an adversary achieves their goals (e.g., Spearphishing, Credential Dumping).
Procedures – The specific implementation of a technique, often unique to a threat group.
Step 2 - Develop a Tailored Attack Plan
Mapping Intel to MITRE ATT&CK
Not all threat intelligence is equally valuable to every organization. The most effective feeds align with your company’s industry, attack surface, and risk profile. Identifying relevant threat intelligence ensures that your red team exercises closely mimic real-world threats targeting your business.
We can do that with the Verizon Data Breach Incident Report (DBIR). DBIR provides yearly insights into the top threats sorted by industry.
Define your industry
Download/view the latest DBIR from Verizon at: https://www.verizon.com/business/resources/reports/dbir/
Find your industry in the report
Find the Top Patterns and align to MITRE ATT&CK’s verbiage
System Intrusion = Not explicitly defined in MITRESocial Engineering =T1566Basic Web Application Attack =T1190
Find the Actor Motives
Financialmotive= “financially motivated”
Google Dork it
site:attack.mitre.org “retail” “T1566” “T1190” “financially motivated”
Click / open the Mitre Group page of the APT we want to emulate
This process helps narrow down relevant adversary groups for emulation.
Creating the ATT&CK Plan
We will be extracting TTPs from the APT we selected in the previous step to create the Attack Plan - haha get it?
Visit the attack group’s Mitre Group page
Click on ATT&CK Navigator > View
Google “<APT> recent attacks” or you can tailor your own attack plan using ATT&CK Navigator
Create an outline for the TTPs you will use
Injects Plan Github Download
If you don’t trust my random’s XLSX file then you can create your own Inject Plan using headers like:
Tactic | Technique ID | Name | Description | Target | Command | Flag | MD5
Go through each Tactic systematically to develop a full plan
Now you have an Attack Plan you can use to build out injects for your engagement.
Creating a Graphical Executive Summary
Use tools like PowerPoint, Keynote, tldraw.com to create a data flow diagram to help visualize the attack chain. This is more helpful to execs that don’t care about MD5 hashes (unless you’re Tyrell Wellick). Some leaders might want more details like timelines, dates, etc. I’ve come across some leaders that care about less., but here’s an example.
Step 3 - Design and Deploy Command & Control (C2) Infrastructure
Defining Infrastructure Components
We will be utilizing Cloud Hosting (Infrastructure-as-a-Service) so that we do not need to
AWS, Azure, and GCP all offer some form of free-tier that can be used for temporary setups and are scalable.
Terraform (Infrastructure as Code for cloud automation)
Ansible (Post-deployment configuration & C2 setup)
EC2s
VPCs
In front of our C2 servers will be redirectors that are used as traffic obfuscation & defense evasion.
Nginx, Caddy, HAProxy (Reverse proxies to hide real C2)
Cloudflare, AWS CloudFront (Domain fronting to blend with legit traffic)
Basic redirector with IPTABLES
Command & Control (C2) Framework
Sliver (Free)
Empire (Free)
Cobalt Strike (Paid but can also be free, takes effort to find and need to have a high risk tolerance, not for commercial use)
Bastion Host (Jump box for controlled access)
Phishing Server / Payload Server
Logging Server
-
A goal and permission to chase that goal
Attack plan emulating a threat actor that would attack our industry
Domain names to hide our traffic behind
Acquiring Domains
Domain names are critical for generating legitimate-looking traffic. Choosing domains that align with the target’s typical infrastructure helps avoid suspicion. It’s a good tactic to revive old domains - domains that just expired and have a history could be re-used to slip past proxies unnoticed. Additionally, obtain multiple domains in the case that you get caught and blacklisted.
ExpiredDomains.net
Database of expired, dropping, and available domains.
Offers a variety of filters like BackLinks and domain age.
Picking Domains
Sign up for ExpiredDomains.net (free) and login
Go to the Deleted Domains tab
Click on BL to sort by highest on top (1st priority)
BL stands for BackLinks and are incoming links from other websites that still point to a domain that has expired
BLs are valuable because they contribute to the domain’s search engine authority, ranking, and credibility
Pay attention to WBY (whois first seen) and ABY (archive.org first seen) you want to have high scores (2nd priority)
Last but not least, pay attention to the price (3rd priority)
Creating a VPC
First, sign up and Log into AWS Console. Then, we need to create a Virtual Private Cloud (VPC) to house your red team infrastructure. VPC is just another name for network. ❌💰 This step is completely free.
Go to the AWS Console → Navigate to VPC service
Click Create VPC
Configure the following:
Name:
TestVPCIPv4 CIDR Block:
10.0.0.0/16(Allows ~65,000 addresses, plenty of room)IPv6 CIDR Block: Amazon-provided IPv6 CIDR block
Tenancy: Default (no extra cost)
Number of Availability Zones: 1
Number of public subnets: 1
Number of private subnets: 1
Nat gateways ($): None
VPC endpoints: None
Enable DNS hostnames: checked
Enable DNS resolution: checked
Click Create VPC
Wait for build to complete and say “Success”
Click View VPC
On the left, click on Subnets
Click on the “Public” subnet
Go to Actions > Edit IPv6 CIDR
Click Add IPv6 CIDR
Leave default and click Save
Creating an Internet Gateway
Since we have a public subnet, we need an Internet Gateway (IGW) to allow outbound/inbound internet access for EC2 instances in the public subnet. The IGW is essentially the front door to our VPC. This is already done automatically, follow steps to verify. ❌💰 This step is completely free.
Go to the AWS Console → Navigate to VPC service
On the left panel, click Internet Gateways
Click Create Internet Gateway
Set the Name to
RedTeam-IGWor leave defaultClick Create Internet Gateway
Attach IGW to your VPC:
Click on the newly created IGW
Click Actions → Attach to VPC
Select
TestVPCand confirm
Configuring The Subnets With IPv6 For Public Access and IPv4 For Internal Comms
Now that your VPC is ready, we need to create a Public Subnet for internet-facing resources, Private Subnet for internal infrastructure, and configure IPv6 so public-facing instances get free public IPv6 addresses. This would have already been done automatically, follow steps to verify.
Editing the Public Subnet
This ensures that we only use IPv6 addressing, that will save us costs while using AWS. ❌💰 This step is completely free.
Go to AWS Console → VPC
Click Subnets
Click Select TestVPC-subnet-public
Click Actions → Select Edit Subnet Settings
Enable "Auto-assign IPv6 Address"
Disable "Auto-assign Public IPv4 Address"
Click Save Changes
Editing the Private Subnet
This ensures private instances only use IPv4 for internal networking. ❌💰 This step is completely free.
Go to AWS Console → VPC
Click Subnets
Select TestVPC-subnet-private
Click Actions → Select Edit Subnet Settings
Enable "Auto-assign IPv4 Address"
Click Save Changes
Updating Public Route Table for IPv6
This allows public-facing instances to communicate over IPv6. ❌💰 This step is completely free.
Go to AWS Console → VPC
Click Route Tables
Find the Route Table associated with the Public Subnet
Click Edit Routes → Add Route
Destination:
::/0(Allows all outbound IPv6 traffic)Target: Internet Gateway (IGW)
Click Save Changes
Updating Private Route Table (Ensure Internal IPv4-Only Traffic)
This ensures that private subnet instances only use IPv4 for internal networking. ❌💰 This step is completely free.
Go to AWS Console → VPC
Click Route Tables
Find the Route Table associated with the Private Subnet
Click Edit Routes → Add Route
Remove any
::/0(IPv6 CIDR for all IPs) routes if presentEnsure private IPv4 route exist (
10.0.0.0/16) for internal trafficIPv6 traffic towards local is fine
Click Save Changes
-
Admin/Logistics:
Goal and permisison
Attack plan
Domain names
In AWS:
VPC
IGW
Route Tables
Security Groups
Public and Private Subnets
AWS Pricing and Costs
All the network infrastructure set up has been free. But setting up EC2 will eventually have associated costs with it. Lets talk about money first.
Note: The steps in this guide will not incur a cost to you under the AWS Free Tier. The costs defined below are if you left the services turned on and running for a month.
-
Elastic Compute Cloud is a virtual machine built in AWS (aka The Cloud).
So it is a computer in the cloud.
-
Elastic Block Store (EBS) is a storage service that allows users to store data persistently in the cloud. EBS is used with Amazon EC2 (Elastic Compute Cloud) instances.
Aka the hard drive in the computer in the cloud
-
Amazon calls an IP address "Elastic" because it can be dynamically assigned to different EC2 instances within your AWS account, allowing you to easily move the IP address to a new instance if needed, essentially "stretching" or adapting to changing requirements, much like the concept of elasticity in physics; this is especially useful for maintaining a consistent public IP address even when replacing or scaling underlying server instances.
Compute (EC2) Costs
750 hours per month of free usage for the free tier t2.micro or t3.micro (1 vCPU, 1GB RAM)
t2.micro and t3.micro are just preconfigured hardware builds for EC2 Instances
If you run one instance continuously for a full month, you’ll use all 750 hours
If you run multiple instances, they share the same 750-hour monthly limit (e.g., two instances running 24/7 will exceed free-tier limits)
You have multiple instances planned (Bastion, C2, Redirector, etc)
Bastion Host - t3.micro - 24/7 (750 hrs) - $0 (Uses up free-tier)
Redirector - t3.micro - 24/7 (750 hrs) - $7/month
Phishing Server - t3.micro - 24/7 (750 hrs) - $7/month
Payload Server - t3.micro - 24/7 (750 hrs) - $7/month
Cobalt Strike Team Server - t3.small (Paid tier) - 24/7 (750 hrs) - $14/month
RedELK Logging Server - t3.medium (Paid tier) - 24/7 (750 hrs) - $28/month
Total = ~$63/month
Storage (EBS) Costs
Free tier provides 30GB of EBS storage
Includes up to 2 million I/O requests per month
If you use more than 30GB, you will be charged
Total: 54GB
Bastion Host: 8GB
Redirector: 8GB
C2 Server: 20GB
Phishing / Payload Server: 10GB
Evilginx: 8GB
54 GB - 30 GB = 24 GB x $0.08 = $1.92 = ~$2
Data Transfer (Networking) Costs
100GB of free outbound internet data transfer per month
Unlimited free inbound data transfer
Free AWS internal transfers (EC2 to S3, EC2 to EC2 inside the same region)
Next 10 TB $0.09, Then next 40 TB $0.085…etc
Most likely will be free but be sure to monitor your usage
Elastic IP Addresses Costs
Public IPv4 Elastic IP gives your EC2 instance access to the internet.
AWS charges $0.005 per hour and has new ways to incur cost. (source)
Public IPv6 is free, so we will use that on our public subnets
Private IPv4 is free, so we will use that on our private subnets
Grand total comes out to ~$65/month. But you’re an experienced professional and you’re going to ask for a budget of $120/month. The extra $/hours will give you the ability troubleshoot, spin up extra instances, buy more domains, etc.
Setting up the EC2 Instances
Now that the VPC, subnets, and routing are configured, we’ll start launching the required EC2 instances for your red team infrastructure.
Deploying the Bastion Host
What is a Bastion Host? It is a server at the perimeter of a network, designed to act as a single point of entry for authorized users to access a private network from the public internet. The Bastion Host will act as the jump box for accessing private infrastructure. Be placed in the Public Subnet with only an IPv6 public address.
Go to AWS Console → EC2
Click Launch Instance
Set Instance Name →
Bastion-HostSelect an AMI → Choose Ubuntu
Select Instance Type →
t3.micro(or whichever Free-tier eligible is available)
Key pair (login)
Create a new key pair:
Name:
bastion-keyType: RSA
Download the private key file (
.pem) and store it safelyOpen up a terminal to the location of the key and run:
chmod 600 ./bastion-key.pem
Network Settings
Click Edit
VPC → Select
TestVPCSubnet → Select Public Subnet (
TestVPC-subnet-public1)Auto-assign Public IP → Disabled (IPv4) (Should already be off)
Auto-assign IPv6 Address → Enabled
Firewall (security groups) → Default
Common security groups → Bastion-SG
Configure Storage (Keep Default)
Root Volume:
Size:
8GB(Free-tier eligible)Volume Type:
gp3
Enable IPv6 DNS Hostname
Enable resource-based IPv6 (AAAA record) DNS requests
This ensures the instance can be resolved via IPv6 DNS, useful for Cloudflare Tunnel.
Instance Auto-Recovery
Set to "Enabled" (Optional)
Ensures the instance restarts automatically if AWS detects a failure.
Termination Protection
Enable Termination Protection
Prevents accidental deletion of your Bastion Host.
Spot Instance (Optional for Cost Savings)
If you want to save money, select Spot Instances
Downside: AWS may terminate the instance anytime if capacity is needed.
Metadata Version
Keep "V2 only (token required)" enabled
Helps secure against metadata-based attacks.
Update Public-SG
Click on Security Groups
Pick the Public-SG
Click Edit inbound rules
Update settings to:
Type: SSH
Source: Custom (Bastion-SG)
Description: SSH from Bastion
Installing Cloudflare Tunnel
note: I couldn’t get a free Cloudflare Tunnel from this ipv6-only environment (maybe the issue) so skipping for now. Meaning our Bastion Host will have SSH exposed to the internet.
Sign up for Cloudflare and log in
Compute (Workers) > Workers & Pages
Hello World
Deploy
Received subdomain (robert-e43.workers.dev)
Go to Cloudflare Zero Trust
Note: I cancelled at the add payment options section and then was redirected back to the dashboard, where I was able to just click back into Zero Trust to get to that dashboard /shrug
Click Create a tunnel
Click Select cloudflared
Set Name: testvpc-ssh
Click Save tunnel
Cloudflared will be installed to your EC2 later
Click Next
Set:
Subdomain: testvpc-ssh
Domain: robert-e43.workers.dev
Type: SSH
URL: localhost:22
Click Save tunnel
run the following commands:
curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
chmod +x cloudflared
sudo mv cloudflared /usr/local/bin/
Connect to your Bastion Host
Once you’ve confirmed connectivity to your Bastion Host you’re ready to move on to deploy the redirector
ssh -i bastion-key.pem ubuntu@[IPv6-ADDRESS]
mkdir bastion-host
This just helps me keep track of which box I’m on.
Deploying the Redirector
Now that direct SSH access to the Bastion Host over IPv6 is working, we’ll set up the Redirector, which will hide your C2 server's real IP, act as a middleman to route traffic between targets and the real C2 server, and be placed in the Public Subnet with IPv6 for public access
Go to AWS Console → EC2 → Launch Instance
Set Instance Name →
RedirectorSelect an AMI → Choose Ubuntu
Instance Type →
t2.micro(Free-tier eligible)
Key pair (login)
Create a new key pair:
Name:
redirector-keyType: RSA
Download the private key file (
.pem) and store it safely
Network Settings
Click Edit
VPC → Select
TestVPCSubnet → Select Public Subnet (
TestVPC-subnet-public1)Auto-assign Public IP → Disabled (IPv4) (Should already be off)
Auto-assign IPv6 Address → Enabled
Firewall (security groups) → Select existing security group
Common security groups → Public-SG
Configure Storage (Keep Default)
Root Volume:
Size:
8GB(Free-tier eligible)Volume Type:
gp3
Enable IPv6 DNS Hostname
Enable resource-based IPv6 (AAAA record) DNS requests
This ensures the instance can be resolved via IPv6 DNS, useful for Cloudflare Tunnel.
Instance Auto-Recovery
Set to "Default"
Ensures the instance restarts automatically if AWS detects a failure.
Purchasing option
Set to Spot Instances
Optional for cost savings. Downside: AWS may terminate the instance anytime if capacity is needed.
Click Customize Spot Instance options
Request type: Persistent
Interruption behavior: Stop
Metadata Version
Keep "V2 only (token required)" enabled
Helps secure against metadata-based attacks.
Connect to your Redirector
Transfer the redirector-key.pem to our Bastion Host
scp -i bastion-key.pem ./redirector-key.pem ubuntu@\[IPV6_Address\]:/home/ubuntu/bastion-host/redirector-key.pemnote: the \[ and the \] must be included. You have to enclose IPv6 addresses in brackets and brackets have to be escaped with slashes
ssh -i bastion-key.pem ubuntu@<bastion ipv6 address>
ssh -i redirector-key.pem ubuntu@<redirector ipv6 address>
mkdir redirector
Deploying the C2 Server
Go to AWS Console → EC2 → Launch Instance
Set Instance Name →
C2-ServerSelect an AMI → Choose Ubuntu
Instance Type →
t2.micro(Free-tier eligible)Create a new key pair:
Name:
c2-keyType: RSA
Download the private key file (
.pem) and store it safely
Click Network settings Edit
VPC → Select
TestVPCSubnet → Select Private Subnet (
TestVPC-subnet-private1)Auto-assign Public IP → Disabled (IPv4 and IPv6)
Firewall (security groups) → Select existing security groups
Common security groups → Private-SG
Click Storage (volumes) Advanced
Size:
20GBVolume Type:
gp3Click AdvancedEncryption: Enabled (optional)
Transfer c2-key.pem to your Bastion Host
scp -i bastion-key.pem ./c2-key.pem ubuntu@\[IPV6_Address\]:/home/ubuntu/bastion-host/c2-key.pem
ssh -i bastion-key.pem ubuntu@[bastion-ipv6]
chmod 600 ~/bastion-host/c2-key.pem
Installing and Configuring Cobalt Strike
Our C2 server is in the private network with no routes to the internet. After Googling “download offline apt packages” I found this stackoverflow discussion. The following will use the Bastion Host to download offline packages for dependencies we need for Cobalt Strike. Then, we will transfer them to the C2 server with scp.
On your Bastion Host download openjdk-11-jdk
ssh -i bastion-key.pem ubuntu@[bastion-ipv6]
mkdir openjdk-11-jdk && cd openjdk-11-jdk
PACKAGES="openjdk-11-jdk"
apt-get download $(apt-cache depends --recurse --no-recommends --no-suggests \ --no-conflicts --no-breaks --no-replaces --no-enhances \ --no-pre-depends ${PACKAGES} | grep "^\w")
cd ../
scp -i c2.pem ./openjdk-11-jdk/*.deb ubuntu@[private_ipv4]:~/openjdk-11-jdk
SSH into the C2 Server:
ssh -i c2-key.pem ubuntu@[c2-private-ipv4]
cd openjdk-11-jk
sudo dpkg -i *.deb
exit
On your Bastion Host download openjdk-11-jre
mkdir openjdk-11-jre && cd openjdk-11-jre
PACKAGES="openjdk-11-jre"
apt-get download $(apt-cache depends --recurse --no-recommends --no-suggests \ --no-conflicts --no-breaks --no-replaces --no-enhances \ --no-pre-depends ${PACKAGES} | grep "^\w")
cd ../
scp -i c2.pem ./openjdk-11-jre/*.deb ubuntu@[private_ipv4]:~/openjdk-11-jre
SSH into the C2 Server:
ssh -i c2-key.pem ubuntu@[c2-private-ipv4]
cd ./openjdk-11-jre
sudo dpkg -i *.deb
exit
On your Bastion Host download all others dependencies:
mkdir other-dependas && cd other-dependas
apt download iptables unzip screen net-tools tcpdump socat
cd ..
scp -i c2.pem ./other-dependas/*.deb ubuntu@[private_ipv4]:~/other-dependas
SSH into the C2 Server:
ssh -i c2.pem ubuntu@[c2-private-ipv4]
cd other-dependas
sudo dpkg -i *.deb
exit
exit
These steps are to transfer and install the C2 server of your choice. Now on your local host (these steps are specific to me):
scp -i ./bastion-key.pem ./CobaltSrike.7z ubuntu@\[bastion_ipv6\]:~/bastion-host
SSH into your Bastion Host
ssh -i bastion-key.pem ubuntu@[bastion-ipv6]
sudo apt install 7zip
7z x -p{password} CobaltStrike.7z
scp -i c2.pem ./cobaltstrike/* ubuntu@[private_ipv4]:~/cobaltstrike
SSH into your C2 Server
ssh -i c2.pem ubuntu@[c2-private-ipv4]:~/cobaltstrike
sudo su
./teamserver 10.0.129.15 cyberforks
CTRL+Z
bg
jobs
Configuring the Redirector for C2 Traffic
Now that the redirector is running, we need to configure it to forward traffic to the real C2 server. This setup ensures that the real C2 server remains hidden while all implant traffic flows through the redirector. For Cobalt Strike, IPTables is the preferred method because it is fast and lightweight.
SSH into your Bastion Host:
ssh -i bastion-key.pem ubuntu@[bastion-ipv6]
SSH into your Redirector:
ssh -i redirector-key.pem ubuntu@[redirector-ipv6]
Find the private IPv4 of your C2 Server
Set up IPTables to forward C2 Traffic, be sure to replace with your own private IPv4. This forwards all traffic hitting [redirector-ipv6]:443 to the C2 Server's private IPv4 on port 443.:
note: adjust the port (443) if needed for your Cobalt Strike listener. you will have to run this every time the redirector is set up.
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.0.129.15:443
sudo iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
Verify IPTables rules were applied:
sudo iptables -t nat -L -v
Setting up Cobalt Strike Client on Operator Host
Set up SSH Tunneling into your Bastion Host and Using the SSH session.
note: you cannot close out of this session or you will lose connection to the C2 server.
ssh -i bastion-key.pem -L 50050:[c2-private-ip]:50050 ubuntu@[bastion-ipv6]
Open up Cobalt Strike client on your Operator Host
Host: 127.0.0.1
Port: 50050
Password: cyberforks
Go to Listeners → Add
Type: HTTPS
Host:
[redirector-ipv6]Bind Port:
443Click Save
Run from Redirector
nc -vz [c2-private-ip] 443
Troubleshooting steps I took (unpolished):
From your C2 Server:
sudo netstat -tulnp | grep 50050
tcp6 0 0 :::50050 :::* LISTEN 1404/./TeamServerI
if no, then start your teamserver
From Local Machine
ps aux | grep ssh
robert 14152 0.0 0.0 410781280 3232 s000 S+ 2:27PM 0:00.15 ssh -i bastion-key.pem -L 50050:10.0.129.15:50050 ubuntu@[bastion_ipv6]
if do not see the SSH tunnel, start the SSH tunnel again.
netstat -an | grep 50050
tcp6 0 0 ::1.50050 *.* LISTEN
tcp4 0 0 127.0.0.1.64828 127.0.0.1.50050 ESTABLISHED
if not present then restart ssh tunnel
From From Bastion Host
sudo tcpdump -i any port 50050
this will show you any communication coming across for port 50050 (from operator host to bastion host to C2 server)
From Local Machine:
nc -vz 127.0.0.1 50050
Connection to 127.0.0.1 port 50050 [tcp/*] succeeded!
On your Bastion Host you should see some traffic come in
Cost Summary After Setup + Troubleshooting
After setting all of this up along with troubleshooting and keeping everything on and running I was still under the Free Tier usage for all services.
Future blogs will walkthrough setting up a victim lab and more which will cover
Beacons
Domain name in redirector
Change default user
CDNs as redirectors
Apache as redirector (/rofl/ URI)
Phishing / Evilginx
aws cli
persistence spot instance start up script
Terraform
Ansible
Freenom for domain