This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity  #ndcconferences  #security  #developer   #softwaredeveloper    

Attend the next NDC conference near you: 
https://ndcconferences.com
https://ndc-security.com/

Subscribe to our YouTube channel and learn every day:   @NDC 

Follow our Social Media!

https://www.facebook.com/ndcconferences
https://twitter.com/NDC_Conferences
https://www.instagram.com/ndc_conferences

#hacker #securitytools 

Modern command-and-control (C2) frameworks don't just fall over when you block one protocol - they pivot, quietly but surely. The C2 brain, the intent and the goal stay the same, but the wire changes. If your detection strategy is married to ports or protocol signatures, then you're already behind - and at risk.

This talk will explore a small Python-based C2 lab with pluggable transports: the same controller/agent pair that can talk over ICMP payloads, DNS TXT records and HTTP headers, and automatically fails over to another protocol without changing its core logic when detection occurs.

The goal is not to show off yet another tunnel or a 'hey look, an ICMP data exfiltrator!', but to make the architectural pattern behind advanced tools like Cobalt Strike as painfully obvious as possible: C2 logic is transport-agnostic, indifferent, and ruthless, and protocol-centric defences are outdated.

NDC Conferences

A security architect presents the concept of transport-agnostic or protocol-hopping C2 (Command & Control) infrastructure, explaining how separating the stateful command core from transport adapters allows malware to survive protocol-level blocking. The talk demonstrates how an agent can failover from HTTP to DNS to ICMP while maintaining session state and intent, warning defenders that blocking a transport protocol is containment, not eradication. Key takeaways include the need to validate host-level persistence after transport disruption, layer network and endpoint telemetry, and shift detection focus from protocol signatures to behavioral patterns like beacon periodicity and session continuity.

Protocol-Hopping C2: Transport-Agnostic Command & Control That Won't Die - Francine Solheim