This webcast was originally published on January 11th, 2023.
In this video, John and Greg discuss the intricacies of setting up and protecting red team infrastructure using Cobalt Strike, AWS, and Azure. They delve into the details of using redirectors, securing C2 servers, and the importance of proper traffic restrictions to avoid detection. The session highlights their experiences and lessons learned from previous red team engagements, showcasing their approach to developing resilient and covert operational frameworks.
- The webinar showcases the creation of a comprehensive red team course incorporating tactics from previous engagements and using AWS and Azure for setting up real-life red team infrastructure.
- The course aims to provide hands-on training on offensive development, focusing on setting up and protecting C2 infrastructure using advanced techniques like traffic restrictions and header modifications.
- Participants will gain practical experience by setting up a Cobalt Strike server, configuring redirectors, and implementing security measures to protect against detection and maintain operational longevity.
Highlights
Full Video
Transcript
Ryan
Hey, everybody, it’s double ASLR. Once again on a Wednesday, first Wednesday of the year. I’ve got John and Greg here. Say hi, John and Greg.
Greg Hatcher
Hi, John and Greg.
Ryan
Perfect, perfect.
John Stigerwalt
Sorry.
Ryan
I’m typing thing and what are you going to show us? You’re going to show us some red team stuff, right, John John is going to show us some red team stuff.
John Stigerwalt
Yep. I’ll do a live example of some stuff right from our course. It’s pretty cool.
Ryan
Basically where he’s talking about is going to be from our upcoming summit, which I’m going to put that on screen right now and I’ll get a link for that in the chat.
Go ahead, John.
John Stigerwalt
Yeah, basically it’s just a primer real quick like kind of a little small teaser. Take a cobalt strike server or redirector. We’ll do some cool model rights and we’re going to hide it basically from the world. We’re gonna protect it too with some neat little header restrictions.
So just nice little teaser on how the course is gonna look. So we teach the offensive dev, and we’ve done it a bunch last year and some of the biggest things we’ve always had or questions we’ve had is, hey, c two infrastructure, what do we do here?
We’re missing a really good red team course. So we said, hey, we’ll go ahead and make one. Why not? So we spent a year making it and we took the best tactics from all of our previous red team engagements we’ve done over the last year and over the previous years and all of our experience.
And we made a course, basically a primary and using AWs and Azure, setting up cobalt strike, running a real live team, real red team live infrastructure. And then we’ll do an attack path at the end of the course.
So we’re going to try to train this all in the two days we have no idea how it’s going to go. And that’s about it.
Greg Hatcher
Yeah. Hey, John, do I start like a high level slide and then I’ll go into AWS and then you can show the, the modry m. Right. And proxy pass stuff.
John Stigerwalt
Yep. Love it.
Greg Hatcher
Okay, cool. You guys, you guys get one slide. That’s the entire, slide deck, so. Okay, Ryan, see that?
Ryan
Yeah, it’s up.
Greg Hatcher
All right. That’s the one slide that you guys get, for this webinar. so this is our attacker box. So this will be like whatever you’re using. If you’re a red teamer, windows, Mac, doesn’t really matter.
so this is your victim. Your victim clicks like a fish, maybe like a payload detonates, it reaches out to a redirector. we have aws here. That’s just what we use. We use azure as well. It doesn’t really matter.
Some kind of cloud environment. You can use GCP, Oracle if you really want to be cutting edge. yeah, so anyways, so our redirector, isn’t as protected as the CTU server is.
That’s an understatement. The CTU server is very protected. So the redirector is sitting out here, and then certain rules have to be met for traffic to be passed to the c two server from the redirector.
This is public facing. This is not public facing. So the Ctrl, the c two server is sending in its own private subnet. there’s going to be three things that John goes over. Three restrictions of traffic that is allowed to go to the c two server once it hits three director and then the attacker box.
inbound traffic is restricted via IP. So you’ll actually have your red teamers, your public ips whitelisted, on this aws or azure, firewall.
So if that’s for a TCP port, the default cobalt strike agent port is going to be 50,050. you can change that. It’s pretty highly configurable and I’m going to do actually show you guys an aws, stuff.
John Stigerwalt
Hey Greg, actually want to go back to that for a second real quick?
Greg Hatcher
Absolutely.
John Stigerwalt
I want to touch on something really cool. So just so you guys know, we help a lot of other red teams out as well.
This is a really important aspect. So we know the victim is going to reach out over HTTPs. Right. That’s for 443. Or say they hit 80, the redirected 443. We’re only accepting beacons on HTTPs.
Right. So it’s going to hit the redirector. So that nice little cast of their aws. Really cool. So greg, you can’t really see here in the slide very well. And we’ll change this on the core stuff. we’re still grading slides because we, this is the last thing we do.
But if you see that the private subnet, the redirector only talks to the c two server on a private AWS subnet. And that’s really key critical. It’s talking over TL’s.
So no one else, no man in the middle is going to happen. So when we do, we have a really nice terraform script. This will all be public once the course goes live on our GitHub, so stay tuned there.
But basically what we do is we set up a c two server and a redirector all in the same subnet. And then the redirector, can only talk that c two server and vice versa. And that’s really important. We’re not shooting tunnels across with SSH where it’s all trackable.
Actually, if you look at the redirector, just does a proxy pass laundry right to the CTU server. So it’s really slick stuff and we actually use it on red teams. My longest live red team redirector has been going over for a year now and still never been busted, with this exact attack ATT and CK path here.
So really cool stuff. I know there’s a thousand different ways to do it. This is just one way we do, we just do these crazy VPN configurations, these split ssh tunnels. Honestly, we found that this just comes out to be the most easiest way.
And it keeps your infrastructure alive, it keeps you going in the game for the red team. Because we all know some red teams. I mean we’re talking UK based the last eight to twelve weeks typically in the last year. In this year we’ve seen us engagements between four to six weeks.
So it’s fast paced. So we’re not just using one redirector, we’re using five, six. So our terraform scripts can be expanded on and this can be configured in multiple ways. But in the case you’re going to see today, this redirector is going to talk over port 4443.
Everything’s dockerized. it’s highly configurable and it’s up in minutes. So we actually help other red teams across the globe. We sell buckets of hours and we help configure this exact type of setup and keep them, keep them alive so that we’re going to teach us in this course.
Greg Hatcher
So the brains of entire operation is going to be the redirector. This is where all the intelligence sits. However, it’s also the part that’s going to be burned is highly burnable. So it needs to be set up fast.
So that gets what John was talking about by being able to spin it up via terraform quickly. now I’m going to show you this stuff in AWS.
Just 1 second guys. I drag some tabs around here.
John Stigerwalt
So while he’s doing that, guys, so really cool stuff though. something you won’t see in this, in this primer. Here is we actually use a lot of cdNs, like Azure, stuff like that. We also put stuff in front of our redirectors and you can do really cool stops and checks there as well.
ips, cookies, headers on top of the CDN to really help protect your beacons and keep stuff alive. So really cool.
Greg Hatcher
Okay, so this is our cobalt strike server. and this is just infrastructure that we spun up just for this webinar. So this is going to be burned down afterwards. So if you’re like taking notes on how to get to us, go ahead.
so this is the private subnet that our redirect or AWS is sitting in. So as you can see here, any port, on a box within this private subnet can talk to our cobalt strike server, and this is a public IP address of red team around our team that can talk to this cobalt strike server box or 50,050.
That’s awesome. Now let’s look at the redirector. Excuse me. Security. This is the redirect. Remember, this is like the brains of the operation.
so basically, world, the whole world concede over 80. The whole world concede over 443 and over 20, two as well. So this is highly exposed.
Cool, right?
John Stigerwalt
No, no, it’s correct. So we don’t whitelist our ssh, nor do we really care to write. I mean, there’s no information you’re going to gather from that, from just you. basically aws vuntu default install.
we don’t even add correct ciphers or security hygiene there. Personally it’s. Everything’s just locked down with keys. Right? There’s no passwords, none of that crap. But 80 and 403 have to be open. It looks like a typical web server.
Right? So, and that’s just assisted the start. This is all compatible with, with terraform. So that’s exactly how building it. Greg, did you ask me about that rule there? So if you see that 10.100 rule, this rule doesn’t.
Yeah. Why would you whitelist both hosts across the VPC? And, Pretty funny at this. Pure laziness, just copying rules across terraforms.
Greg Hatcher
Yeah. So just, just to reiterate, this rule, is nonsensical and does not need to be here. This is only for the cobalt strike server, not for the redirector.
John Stigerwalt
Yeah, Greg, if you jump over to the cobalt strike server, we can show them additional things, what we’ll do. right now this is still test mode, guys. There’s a lot. I mean, you could do so much more additional stuff here.
But if you look, yeah, you can see we’re whitelisting the subnet here. So anybody inside 10.10 on our private subnet here, can talk to the scope effect server.
We can, the terraform script can obviously handle whitelisting individual ips here and ports. So in this case here, the only port we need to talk over is our c two bind port, which is 4443.
And that’s based on the Docker container because we want to be able to support, obviously your team server or your coal strike server needs to be able to support more than one redirector. That’s why your next port for an instance would be, four four four for example.
Or four four five. You can do whatever you want. So. And then doctor will just host those sports open. We usually ten, so. And that doctor, is based on Warhorse. That’s on our GitHub now. But the Remy pages, it says direct phones, so the document has not been updated, but it will be.
It’ll be before the class goes live.
Greg Hatcher
Yeah. What’s the name of the dude that did Warhorse? We talked to him at a Wells hack and fest in San Diego.
John Stigerwalt
Yeah, he’s the one who said, Yeah,
Greg Hatcher
Oh, right now?
John Stigerwalt
Yeah, m. It’s a good question. Anyway, he works at black credit for Docker. Yeah. So we’ve made some slight modifications because, he likes to update on cobalt strike. We don’t.
So I put a nice little, file tag in there that says, if the files created don’t update on cobblestrike anymore because that breaks and breaks your red team engagement. Get the reboot and update.
So.
Greg Hatcher
All right. Want to go over the. The proxy, pass my rewrite rules now?
John Stigerwalt
Yep. Let’s do it. All right, you guys, you see my screen here?
So real cool. Yeah, real cool with the docker stuff. everything’s going to look up out of the op drive, so. And everything’s out of cobalt strike. So we do the Cs profile. This comes from the f secure land, so they’ll understand exactly what we’re doing here.
So just the naming convention. So, I’m not going to get into the Colbert strike profile. This is way out of scope here. But you can see here we’re doing a naming convention. 1 second here of, getting post.
Now this is really important. Now you can support any cold strike profile here with these mod right rules. It’s really customizable. really cool. So you can see here the uri right here is this compare v 1444, real simple stuff.
This is a live profile we used last year. It lasted probably I don’t know, 1012 weeks before the blue team finally caught us. now what’s really funny here and this is going to be really important is you can see, you can add any headers here that you guys want, right?
So this x axis control header does not exist in real life. I’ve made it up but the quant is going to serve this so forget request. Now you can do the same exact thing in the right, so header x control equals true this, the true value doesn’t mean anything does it?
We’re just checking to see if access control which no one else has had or most likely I made it up. you can, and you can put anything you want here as well. You can put WK was here, Greg was here. It doesn’t matter as long as we’re checking.
So just so you guys know, this is a live profile, it does work, right it’s, and we’re hosting on cold strike right now. We can confirm that with just doing a docker p’s. You can see here’s our, here and you can see right here, here’s our port over 4443, our first one.
And we’re posting all the way to four, four nine. So we do about nine ports or seven ports so and just to validate that we can do a next pull.
And you can see here the ports we’re hosting somewhere. And here’s the one we’re, so you can see this is live. So when we look at mod redirect and the redirector you’ll see this information here.
And just so you guys can understand even more I’ll show you the IP address. You can see we’re at ten, dot, one, dot zero, dot 20, five. This is assigned by terraform and this is static so we make sure it’s across all profiles so it’s easy.
So we know our cobalt strike server is always sitting at 205. So we, this is the redirector here. We know we’re hosting ad and 443, terraform. Set those up for us.
So here’s 80 and 443 on the netstat ports. Real simple, let’s get right into the mod redirect. So Etsy Apache, we’re just using straight Apache, nothing too fancy here.
Sites available. And then based on our site I bought, I bought a website called dsupdateswindows.com. and everything has been done through certball. Let’s encrypt.
I know some of you will say that’s terrible, but it works for red team engagement. Now that’s another advanced topic we’ll talk about is different DNS. We’re not using namecheap anymore. We’re now on Cloudflare or Cloudfront, for hosting for this one here.
And namecheap, we found has been burning our websites like crazy, no matter what we do. So they won’t just burn one, they’ll burn 100. So it’s a huge money pit right now, especially for red team and age domains.
Unfortunately, namecheap used to be the go to. I think it’s Cloudflare now. So that’s where this one lives that DS up Windows updates. So this is a pretty, this is a pretty good model, right?
we spent a lot of time on this, defining it across multiple people. So we do some variables here. Let’s see here. I’ll do a nano real quick. So show some color of the comments so you can see the SL proxy engines.
All this stuff here doesn’t matter. This is just getting you set up. the real meat here is the redirector. So the idea was we used to first offer just a 403 page and we still do. We have a custom 403 page.
It’s good habit to get in doing that, but we found that if we redirect categorization ties in here. So we all heard blue code or other various things. You want to have a good category on your website.
And the reason is all because of palato. Palette was the main reason they started that. That’s been going on for years. So most people, who have next generation firewalls are going to run pallets of firewalls. We know palatos are king at categorization.
Across the board. They are the winners. They will always be the winners right now for this year. And what that means is if you have a bad category like unknown or something malicious, you’re instantly getting blocked.
So category is really good. So we found out just doing 403s did not get its categories. If we did a 301 redirect, we actually could, after some time with, with proper aging, we could get a just a technology category which would fly right through the radar.
We’re not doing finance or going for government. We’re just doing a technology category. So we found out they blended with Microsoft and use a Micro Microsoft CDN with just a straight redirect back to Microsoft, we get a Microsoft category, basically just technology dependent.
So this is where we sit. So we define our redirect target right here Microsoft.com. we’re doing the US based, we set our get CS get post which correlates back to the COBOL strike profile.
Oh it’s gone. So anyway these are the CS getting posts. You put them right here real easy, no minutes straight through the first check we’re going to do and this stops all the spider technology is we’re going to, we’re going to check for the user agent.
That’s the first thing we’re going to do. We want to stop google, Yandex, bing bot, all these ones we’ve been burned so many times being spidered across there we, and then we just reckon back to Microsoft.
So we really don’t want to be spider, we don’t want Carl hitting us. So we’ll do this live together. Right now this site is up so if you give me 1 second here.
So we have good checks and bad checks so we know the website. Hold on here guys.
So just curl this. You can see right here, here’s our redirect. Microsoft.com right. So let’s go ahead and put a bat. Let’s go ahead. we know we’re not checking for something right? So to do a user agent check and curl we can just do two comments.
Let’s call it Greg. So and cool we passed the check. Now we know Greg’s not being checked right. Even though that’s an in and out using agent.
We should block that. We’re not right now this is a really simple check so we know we have a custom header right back from the cold strike server which is the access X control. So to do a custom header inside curl we can do, I think it’s just a capital actually we’ll do tact header and then we’ll go ahead and do that Axis X control and this will get us to another redirect.
Perfect. The reason is because we don’t have the proper uri for the beacon so that’s check number two. So we’re getting Microsoft redirects the entire way right now which is good right?
That’s really good. So let’s go ahead and add in the proper Uri now. Now a lot of people say oh the URi is just good. I’m going to stop right here. Explain why just a Uri check is not enough.
I played the blue team role I played for four years and I left for this exact reason. So when I was on pals of firewall you see something malicious come through. You’re not exactly sure what’s the first thing you’re going to do.
You’re going to go to a sandbox, you’re going to check the Uri. You probably did not copy that custom header, header out of there. You probably just had a typical curl request or something that’s going to go through and you’re going to hit a redirect.
Microsoft, your first thought is like oh well this is probably legit. That’s what I’m hoping your mindset is going to be at. I’m going to make it entirely difficult when you’re going to get a redirect every time to Microsoft.
So I know you have the URL, I know you have to get requests. So if I’m just doing the get check, you’re going to get to the beacon server, you’re going to, you’re going to get some weird result, you’re going to get some JavaScript and at that point you say hey this, this is, this is dynamic.
Like I’m seeing beacon stuff here. Egress outgrass, we’re good, we’re seeing stuff here but if we can stop the blue team and make the blue team’s job harder or we can last three weeks longer, it’s like hey this DS updates windows.
Is this legit? It just redirects to Microsoft. We have to trick one person and that one person. Like I checked that area, it’s good to go. Even though it’s not legit, we see it all the time. So if we check this Uri, what’s really funny, it’s still not enough.
We should, we should see 404, 403 here. Custom 403 web page 1 second.
Let’s see. Stand by here. My copy and paste is failing.
Okay, there we go. We hit the beacon directly with the header without that. So if we just do it with just out, say we break this Uri, all this various stuff, we can now get a 404.
See you do the compare here as we’re missing the header and all that kind of stuff. Say we break it, we get a custom forward for page and this ties right back to this redirector right down here.
So you can see we’re probably proxy passing everything back to the COBOL strikes server right here. This is what’s keeping us alive, the get and post request. So this is exactly where it sits.
So the first thing we do is the user agent check right here. We then check for the header. We then go ahead and check for the get and post and then we pack, we proxy, proxy pass and proxy pass reverse.
Both work here as well. And then you can see here just for some hygiene. We do set nice servers. We want, we want to look good. Like we’re actually not, we’re doing. And then here’s our 404. It’s actually a custom 404 web page.
We do really funny ones. We steal people’s all the time. just kind of a little, haha. For us, if they hit actually find a blue team actually hits the 404 page or four or three page because most of the times it’s just, it’s a redirect.
So at that point we do the various checks. Now there was another really cool thing that we used to do. Greg, I’m looking for that.
Get that, get page with the ip blocks on them. Did I post that to you?
Greg Hatcher
No, you just gave me the commands, dude. You have the ips for like the, like the server in cobol strikes.
John Stigerwalt
No, just give me a second. So this is really cool. Get page by this one really cool dude.
Greg Hatcher
Oh, I know you’re talking about. Yeah, just a minute.
John Stigerwalt
Yeah, yeah, if you have that, I would love to go ahead and show that.
Greg Hatcher
Oh, yeah, you’re talking about curious Jack. I got right here.
John Stigerwalt
Yep. Curious jack. Thank you. Yeah, yeah, he has some great stuff, but they have this really cool apache blocker. So sometimes just doing this is not enough. Sometimes like if you’re gonna get detonated from virus total and various things, this will help.
But it’s really interesting, right? So sometimes, let’s just say a client’s gonna download, say they’re gonna detonate your beacon or your payload inside the sandbox.
This is gonna go through, right? Yes, thank you Greg, very much. It’s exactly what I wanted to see here.
Greg Hatcher
Like the most restrictive mod read write you’ve ever seen.
John Stigerwalt
This is going to take a nice minute here for this to load up for me.
Greg Hatcher
I’ve already got loaded if you want me to share my screen. Dude.
John Stigerwalt
Yeah, dude, go ahead. That’d be great, man. That’s perfect.
Greg Hatcher
Yeah, so just everyone knows like John’s a great engineer, but his Internet connection runs on maple syrup. he’s a maple syrup farmer in rural Pennsylvania, so sometimes he has problems with the wi Fi’s.
Okay, cool. So this is curious Jack. this is Jason Lang over at Trusted SeC, I believe. Don’t quote me on that.
John Stigerwalt
And just so you guys know, this is really cool. So basically all you would do is just, you would include this first inside your, your, your mod rewrite, and you would just straight, go ahead and, just, basically just do a straight redirect.
So if any ips hit here, and I used to use this all the time, especially in the AWS and azure stuff. But what we’re seeing here in 2022, especially going into 2023, is a lot of clients are moving most of their servers up to azure or AWS, meaning that if you want to get beacons or payloads or callbacks to happen on servers, you can’t use all the ips here listed.
Now what’s really funny is if you, if you’re on this, if you, if you work for a blue team company like virustotal or something like, pallets of Fortnite, whatever, all those, all those guys, your ips are probably listed in here, which is hysterical because I want them to be, I want them to make your life so hard.
We have to use a VPN to get access to a server, which you’re just gonna get redirected. That is my entire goal, is to make my, make your life difficult and determine, hey, this guy ain’t joking. So if my, if my beacon or my payload is in your sandbox, it’s not executing because it first hit this rule.
I call this the fail safe. If we get hit, if we get detonated on, file dresses, it’s not reaching out. So it may see a request trying to go somewhere to our redirector, but it never hasn’t.
There’s no callback, there’s, there’s no beacon established. So this has saved us in the long run over time. Now, I don’t have an example showing this here right now, because we include all the IP addresses and various things because we’re testing from AWS.
but this is a gem right here. So these are all just rewrite conditions. Just checking out, ip addresses. Just testing. So you do want to review these before use this, because I have gotten trouble in this where I had a beacon trying to execute on one of these IP addresses for a client that was test.
So, we had to, we had to change the config live on a red team. So you want to make sure what your target is and where they’re coming from. A, lot of people say, well, why not just whitelist, whitelist a client. Because sometimes people on VPN or they’re at home or people aren’t always on the VPN and they’re using the home IP addresses and red teams and they’re in scope sometimes so it’s all fair game.
Greg Hatcher
That’s why whitelisting via IP is very challenging. So for context right here, palo Alto. So say you, you have a blue teamer, that’s you right, that’s running. palo alto traps and they, they’ve got your beacon and they detonate it.
Palo Alto reach reaches out on 1455-9123 WAC 24. it will not detonate because it’s, it’s a deny rule. same thing he’s got, he’s got fortigate, he’s got symantec, Microsoft Azure.
This was actually a proof point bypass for a while. like if you’re trying to get like RC on a box unit payload in a phishing email proof point would go out, touch, touch your payload, detonate it from a proof point IP address.
But if you have this in there it won’t actually detonate. So very, very interesting.
John Stigerwalt
I know a lot of you guys will say well your beacon should have some domain check or some have some kind of anti sandbox technology and you’re right, hundred percent, and ours, ours do, right, but this is just strictly director protection, coal strike server protection, payable development is out of scope here but we do those things as well and we do teach those in the offensive development which is the primer to the advanced red team course.
So if anybody does the advanced red team course we expect you to know payload development, bypassing avedr. Greg will be teaching that course moving forward and I’ll be handling the advanced red team operations for the c two.
And then also we’ll be doing a live azure attack path right on day two. So it’s going to be a mass flood of information. It’s going, we’re going to make it even difficult for you guys.
So lots of fun. So if you don’t think you’re ready for something like that, take the offensive development, learn how to bypass AV EDR. Because we’re bypassing avedr on every red team. We’re hitting s one crowd strike cortex, we have bypasses for every single one of them.
some of the techniques we teach you guys in offensive development is live on that as well. So when you guys come over to the advanced red team course, more our focus is past, payable development.
We already expect you guys, to know that we’re doing CT infrastructure, we’re doing setup. We’re getting you prep for a live engagement and we’re going to run right through intact path.
Greg Hatcher
Yeah, and to clarify the offensive development course, you still have to have some prerequisite knowledge. the first time we taught it, we had it as a beginner friendly course. And that is not the case if you’ve never compiled native code.
If you don’t know what the windows API is. probably not a good starting point. Okay, cool.
I think that’s all we got for right now.
Ryan
All right, I posted links in the chat and we put them on screen again for both the classes. So check that out. We’ll also have those links in the video description. If you’re watching the replay, we’ll have them in there.
So look down below and one more time I’m going to plug the link for the summit that’s happening on March 1 where both Greg and John are going to be teaching these classes.
you can find that at the webpage below and you can go to the Indiesiphon training and look at the yellow header bar thing there at the top. And it’ll take you right to the page.
It shows you all the classes, including John and Greg’s. it’s going to be quite the training event. Plus we’ve got a whole day of summit talks to start it off, so that’ll be pretty cool.
Thanks again, John. Hey, Greg. Oh, we lost Greg. Oh, there he is.
Greg Hatcher
Yeah. What’s up, guys? Yeah, my, my clock is being very loud. Go ahead.
John Stigerwalt
I was going to say, guys, just so you guys know, you get access cobalt straight during the course for those two days. for free. There’s no catch there, right? So you guys can use cobol strike.
We’re on coal strike with us, so really cool stuff. Awesome.
Greg Hatcher
Yep.
Ryan
Can’t wait. And thanks.
Greg Hatcher
Yep. And you have access to the. You have access to the lab environment for, for a while, actually, so. Yep. Definitely worth it.
John Stigerwalt
Yep.
Ryan
All right, and with that, we’re going to end this edition of AA SlR. Thanks again for everybody for coming to our stream or watching our stream. And hopefully we’ll see you at the summit.
Greg Hatcher
All right, later, everybody. Have a good night.
John Stigerwalt
Bye. Take care. Bye.