explaingit

bluscreenofjeff/red-team-infrastructure-wiki

4,480Audience · ops devopsComplexity · 4/5Setup · hard

TLDR

A wiki for authorized security professionals on how to build resilient red team infrastructure, covering redirectors, domain selection, and traffic hiding so a single discovery does not expose the whole operation.

Mindmap

mindmap
  root((red-team-wiki))
    Infrastructure design
      Segmented servers
      Redirectors
      Resilient operations
    Traffic types
      Web HTTP
      DNS queries
      Email phishing
    Techniques
      Domain selection
      Traffic redirection
      Third-party services
    Tools referenced
      Cobalt Strike
      Empire framework
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Design a modular red team engagement with separate servers for phishing, payload hosting, and command-and-control so one discovery does not unravel everything.

USE CASE 2

Set up HTTP and DNS redirectors so defenders cannot trace discovered traffic back to the core team server.

USE CASE 3

Find and register expired domains with clean history to make red team traffic blend in with legitimate web activity.

USE CASE 4

Configure web server traffic redirection rules to disguise outbound connections during an authorized engagement.

Tech stack

Cobalt StrikeEmpireDNSHTTPSMTP

Getting it running

Difficulty · hard Time to first run · 1day+

Requires cloud servers, domain purchases, and solid knowledge of network protocols, this is a documentation resource, not a ready-to-run tool.

License terms are not described in the explanation, check the repository directly.

In plain English

This is a wiki for security professionals who conduct authorized red team engagements, meaning simulated attacks against organizations that have hired them to test defenses. A red team tries to act like a real attacker so that the organization can find and fix weaknesses. This wiki collects guidance on how to build the technical infrastructure that supports those engagements. The core idea covered here is that a red team's servers and tools should be built to survive detection. If the defending team discovers one piece of infrastructure, the red team should be able to swap it out quickly without losing the whole operation. The wiki explains how to separate different functions, such as sending phishing emails, hosting malicious files, and maintaining a connection back to the target, onto different machines so no single discovery unravels everything. A key technique covered is the use of redirectors: intermediate machines that sit between the red team's main servers and the target network. If a defender blocks one redirector, the core server is untouched and a new redirector can be swapped in. The wiki walks through how to set these up for different types of traffic, including web requests, DNS queries, and email. The domain selection section explains how to find old, legitimate-looking web domains that have expired and are available to register. Using domains with history can make red team traffic look less suspicious to automated security tools. There is also coverage of how to configure web servers to redirect traffic in ways that hide the real destination, and how to use third-party services to disguise outbound connections. The wiki references tools like Cobalt Strike and Empire, which are commercial and open-source frameworks used by professional red teams during authorized engagements. It was originally created to accompany a conference talk on hardening red team infrastructure and has since been expanded by community contributions. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Walk me through setting up a Cobalt Strike redirector using Apache mod_rewrite so the team server IP stays hidden from defenders.
Prompt 2
How do I find expired domains with good reputation history for a red team phishing campaign? What tools and criteria should I use?
Prompt 3
Explain the concept of infrastructure segmentation for red team operations: what goes on the redirector versus the team server and why.
Prompt 4
Show me how to configure a DNS redirector that forwards DNS C2 traffic to my team server while keeping the server address hidden.
Prompt 5
What third-party services can a red team use to disguise outbound connections, and how does the wiki recommend setting them up?
Open on GitHub → Explain another repo

← bluscreenofjeff on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.