DEF CON 29 Adversary Village - Jose Garduno - C2Centipede APT level C2 communications for common rev

Adversaries have been continuously improving their malware to be stealthier and more resilient on both the victim’s host as well as on the network.Examples of these innovations on the latter include Fast Flux networks, Domain Generation Algorithms and Domain Fronting among other techniques. Unfortunately, open source tools for threat emulation currently have limited support for such advanced features, leaving redteams with easy to detect C2 communications. We present C2Centipede, a proxy tool that provides these features to HTTP reverse shell tools (like Metasploit or Empire) to be stealthier on the network by dynamically and transparently modifying the trojan’s C2 communication routing and beaconing strategies, with the aim of evading some of the blueteam’s detection strategies.