Mastering Modern Red Teaming Infrastructure — Part 1: Leveraging Old Domains and Reclassification for Reputation-Based Bypasses
In the world of modern red teaming, infrastructure is king. The ability to evade security controls, minimize detection, and deliver payloads or phishing campaigns successfully often relies on leveraging well-thought-out infrastructure components. One of the most powerful yet often overlooked techniques is acquiring old domains with established reputations and reclassification to bypass security mechanisms.
In this article, part of the “Mastering Modern Red Teaming Infrastructure: Building Resilient and OPSEC-Focused Campaigns” series, we will explore why old domains and reclassification are effective, what security mechanisms they bypass, and provide a step-by-step hands-on practical implementation for building and testing your bypass infrastructure.
Table of Contents
- Why Use Old Domains and reclassification in Red Team Operations?
- What Can You Bypass with Old Domains and reclassification?
- Hands-On Practical Implementation: Integrating Old Domains into Campaigns
- Final Thoughts
Before we proceed, let us make a commitment. This red team series content is intended for educational purposes only. 😛
Why Use Old Domains and reclassification in Red Team Operations?
When adversaries launch malicious campaigns, newly registered domains (NRDs) are immediately flagged by modern security solutions, often leading to quick detection and blocking. Old domains, on the other hand, carry a history of legitimacy, making them trusted by default in various reputation-based security systems.
Acquiring old, high-reputation domains gives red teams a significant edge by:
- Evading spam and phishing filters for email delivery.
- Bypassing DNS filtering solutions that flag suspicious domains.
- Avoiding detection in web content filtering systems. i.g. Proxy
- Delaying analysis by security tools like firewalls, sandboxes, and endpoint detection platforms.
This trusted infrastructure allows for seamless payload delivery, successful phishing campaigns, and robust C2 (Command and Control) operations without immediate suspicion.
What Can You Bypass with Old Domains and reclassification?
- Email Spam and Phishing Filters
Tools Affected: Microsoft Defender for Office 365, Proofpoint, Mimecast)
Email security solutions heavily rely on domain reputation. Newly registered domains or domains flagged in threat intelligence feeds are quickly filtered or blocked.
Old Domains: Emails sent from an old, reputable domain are more likely to reach inboxes. This drastically increases the success rate of phishing emails for credential harvesting, malware delivery, or session hijacking.
2. DNS-Based Security Solutions
Tools Affected: Cisco Umbrella (OpenDNS), Cloudflare Gateway, Palo Alto DNS Security
Modern DNS filtering solutions identify and block NRDs or domains with poor reputations to prevent malicious activity.
Old Domains: Trusted domains bypass DNS blocklists, enabling payload downloads or secure C2 communications.
3. Web Content Filtering and Proxy Solutions
Tools Affected: Bluecoat, Zscaler, Fortinet, Forcepoint
Organizations deploy content filters to block access to malicious or uncategorized websites.
Reclassification: An old domain can be reclassified to a trusted category (e.g., “Technology” or “Business”), allowing payload hosting or phishing pages to bypass filtering controls seamlessly.
Example: Hosting a malicious payload on example-techsolutions.com classified as a tech site will often evade web proxies.
4. Firewall and Next-Generation Firewalls (NGFWs)
Tools Affected: Palo Alto Networks, FortiGate, Check Point
Reputation-based firewalls monitor outbound and inbound traffic, blocking communication with known malicious domains or NRDs.
Old Domains: Firewalls are less likely to flag traffic to/from trusted old domains. This is particularly useful for C2 beaconing or exfiltration.
5. Endpoint Detection and Response (EDR) Solutions
Tools Affected: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint
EDRs monitor URLs and domains used for payload staging or C2 communication.
Old Domains: An old domain’s clean history avoids immediate flagging, buying red team operators time for successful execution.
6. Threat Intelligence and Sandboxing Solutions
Tools Affected: VirusTotal, Hybrid Analysis, FireEye
Threat intelligence platforms quickly identify NRDs or suspicious domains during sandbox inspections.
Old Domains: Trusted domains evade these detections, reducing immediate alerts or automated reporting.
Hands-On Practical Implementation: Integrating Old Domains into Campaigns
This section will guide you through the step-by-step process of acquiring an old domain, configuring it for phishing and payload delivery, and integrating it with a Command and Control (C2) server to bypass modern security defenses.
Step 1: Acquire an Old Domain
1. Search for Suitable Domains:
When setting up red team infrastructure, using domain auction sites like Namecheap Auctions, GoDaddy Auctions, or ExpiredDomains.net can help identify aged domains that enhance credibility and reduce detection. Focus on domains with a high age (at least 1–3 years old), a clean history (no prior malicious activities), and prior legitimate use (such as news, business, or tech sites). For example, I leveraged ExpiredDomains.net and identified online-notifications.net, which was first observed in 2010 and has a WHOIS creation date of 2019. These characteristics suggest a well-aged domain that can bypass security filters and increase the success of phishing campaigns or command-and-control (C2) operations
2. Verify the Domain’s Reputation:
I utilized the Wayback Machine to examine the historical usage of the domain and discovered archived snapshots dating back to 2011. This confirms that the domain is well-aged and previously hosted legitimate content related to technical topics, as shown in the image below.
Then I conducted a domain reputation check using Talos Intelligence and URLVoid, and the results confirmed that the domain is not blacklisted. All scanning engines, including antivirus (AV) and phishing detection services, reported the domain as clean. This further reinforces the domain’s credibility and suitability for use in phishing campaigns or command-and-control (C2) operations. The proof of concept (POC) below illustrates these findings.
3. Purchase the Domain:
Once I verified the domain’s credibility and reputation, I proceeded to purchase it through Cloudflare for enhanced security and ease of management. Cloudflare offers additional benefits such as:
- Privacy Protection: WHOIS privacy to keep domain ownership details confidential.
- Mask Origin IP: The true C2 redirector server IP address is hidden behind Cloudflare’s IP addresses, enhancing anonymity.
- Built-in Security: Protection against DDoS attacks and other threats.
- DNS Management: Fast and reliable DNS services.
This streamlined approach ensures that the domain remains secure and operational for red team engagements. The screenshot below illustrates the successful purchase process.
Step 2: Reclassify the Domain ( Additional Tips to maximize proxy and content filter bypass)
In some cases, an old domain may already be categorized as technical or business, which is beneficial for red team operations. However, despite this, the domain might still be blocked by some proxies due to the target organization using custom domain categorization checks. To address this, search for proxy they are using to know which categorization engine they are using or manually check the domain’s categorization using these commonly used categorization services:
- FortiGuard Web Filter: https://www.fortiguard.com/webfilter
- Palo Alto Networks URL Filtering: https://urlfiltering.paloaltonetworks.com/query/
- Trend Micro Site Safety Center: https://global.sitesafety.trendmicro.com/index.php
- BarracudaCentral Lookup: https://www.barracudacentral.org/lookups/lookup-reputation
- Blue Coat Site Review: https://sitereview.bluecoat.com/
If the domain is categorized as “Phishing,” “New Domain,” or “Malicious,” consider hosting a legitimate business page on the domain and add SSL certificate configured and submitting a reclassification request through these services to improve the domain’s reputation. This approach has proven effective for me, allowing me to bypass custom proxy filters during red team engagements.
below POCs for reclassifying my online-notifications.net domain
Step 3: Link the Domain to a C2 Server
This crucial step involves configuring your acquired old domain as part of a Command and Control (C2) infrastructure. While the detailed process will be covered in an upcoming post, here’s an overview:
- Set Up a C2 Server (To be detailed in the next post): Deploy a framework like Sliver to manage payloads and beacons.
- Configure DNS Records (Next post): Set up A and CNAME records, and secure communication using SSL certificates (e.g., Let’s Encrypt).
- Test C2 Communication (Next post): Verify the domain’s connection to your C2 by generating and testing beacon payloads.
Final Thoughts
In red teaming, every detail matters. Success hinges on meticulous planning, precise execution, and a deep understanding of how to outmaneuver modern security controls.
This practical implementation demonstrates how acquiring and configuring an old domain with reclassification enables you to bypass email filters, DNS security, and web proxies while maintaining OPSEC-focused C2 communications. By strategically leveraging old domains, red teams can remain under the radar, improving campaign success rates and minimizing detection risks.
Part 2: Building Stealthy C2 Infrastructure with Sliver and Re-director
if you find this blog useful, don’t forget to hit the clap button and follow the blog.
Sr. Cyber Security Consultant at Resilience.
Certifications:
OSEC3, CRTL, CRTO, OSCP, OSEP, OSWE, OSED, eMAPT … Others
Follow me on LinkedIn & Twitter(X) to stay updated and to know new things.
Bye Bye, Take Care.
