C2 traffic may be blocked in an organization that uses web proxy due to the following features that often come with web proxies:
- web categorization: Domain name used for engagement may become filtered due to web categorization. Red team operators must either use another domain name or find a way to recategorize the domain.
- HTTPS offloading: C2 HTTPS beacon traffic may be inspected in plain text due to HTTPS offloading. Certificate pinning can circumvent the inspection, but often at the cost of being blocked completely by the proxy.
- content filtering & antivirus: Some organizations may choose to filter content at a performance penalty. Others may choose to filter requests based on filenames (e.g. exe, bat, dll, ps1, etc), which may affect payload delivery.
- web proxy authentication: Some web proxies require authentication, and AD integration would be one of the most common way to implement this. When AD integration is enabled, only actual domain user can use the web proxy, whereas machine accounts (e.g. COMPUTER$, SYSTEM) are often excluded from access. In this case, we can use a peer-to-peer beacon as SYSTEM, or use a DNS beacon to bypass the restriction.