BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//orangecon-2026//talk//HLHUPG BEGIN:VEVENT UID:pretalx-orangecon-2026-HLHUPG@pretalx.com DTSTART:20260604T104000Z DTEND:20260604T111000Z DESCRIPTION:Tools like Cobalt Strike\, Brute Ratel\, and Mythic have become ubiquitous\, forming the backbone of attacks launched by both nation-stat es and cybercriminals. These "malleable C2" platforms allow attackers to p recisely configure network traffic—adjusting beaconing intervals\, addin g random jitter\, and constructing URL and user agent strings that convinc ingly mimic legitimate web services. Not only is it hard to write effectiv e signatures for blocking such configs\, the ease at which new configs can be created makes IPS-based defenses futile. \n\nThis presentation address es the widespread failure of legacy defenses against malleable C2. We intr oduce a novel\, high-fidelity detection system designed to identify mallea ble C2 traffic that has successfully evaded traditional layers. Our method ology moves beyond signatures by combining an expert anomaly detection eng ine with a machine learning classifier\, analyzing decrypted web (HTTP/s) transaction logs from a forward proxy. The system profiles network entitie s using advanced signals\, including SSL/TLS fingerprints (like JA3)\, fin e-grained analysis of network beaconing patterns over time\, and heuristic flagging of unusual user agents and highly targeted domain contacts. Thes e signals are fed into a robust machine learning model tuned to identify t he subtle but persistent characteristics of C2 communications directed at non-cloud infrastructure.\n\nTested rigorously against a diverse set of Co balt Strike profiles collected from the wild and created using a genetic a lgorithm\, our approach achieved a detection rate in excess of 97%. Crucia lly\, it maintained an exceptionally low false positive rate—less than 0 .0001 alerts per user per week in real-world production environments. It h as since been deployed in production environments\, from which we share re cent case studies of real-world implants that we have detected. Attendees will gain an in-depth understanding of why reliance on IPS-only strategies is a critical vulnerability and how to implement a powerful\, non-signatu re-based detection strategy. This approach effectively counters the evasio n tactics of Cobalt Strike\, Brute Ratel\, Mythic\, and custom C2\, signif icantly improving an organization's defense posture against one of today ’s most elusive threats. DTSTAMP:20260525T202316Z LOCATION:Track 1 SUMMARY:Bypassing the Evasion Barrier: Detecting Malleable C2 When Traditio nal Defenses Fail - Raymond Canzanese URL:https://pretalx.com/orangecon-2026/talk/HLHUPG/ END:VEVENT END:VCALENDAR