2026-06-04 –, Track 1
Tools like Cobalt Strike, Brute Ratel, and Mythic have become ubiquitous, forming the backbone of attacks launched by both nation-states and cybercriminals. These "malleable C2" platforms allow attackers to precisely configure network traffic—adjusting beaconing intervals, adding random jitter, and constructing URL and user agent strings that convincingly mimic legitimate web services. Not only is it hard to write effective signatures for blocking such configs, the ease at which new configs can be created makes IPS-based defenses futile.
This presentation addresses the widespread failure of legacy defenses against malleable C2. We introduce a novel, high-fidelity detection system designed to identify malleable C2 traffic that has successfully evaded traditional layers. Our methodology moves beyond signatures by combining an expert anomaly detection engine with a machine learning classifier, analyzing decrypted web (HTTP/s) transaction logs from a forward proxy. The system profiles network entities using advanced signals, including SSL/TLS fingerprints (like JA3), fine-grained analysis of network beaconing patterns over time, and heuristic flagging of unusual user agents and highly targeted domain contacts. These signals are fed into a robust machine learning model tuned to identify the subtle but persistent characteristics of C2 communications directed at non-cloud infrastructure.
Tested rigorously against a diverse set of Cobalt Strike profiles collected from the wild and created using a genetic algorithm, our approach achieved a detection rate in excess of 97%. Crucially, it maintained an exceptionally low false positive rate—less than 0.0001 alerts per user per week in real-world production environments. It has since been deployed in production environments, from which we share recent case studies of real-world implants that we have detected. Attendees will gain an in-depth understanding of why reliance on IPS-only strategies is a critical vulnerability and how to implement a powerful, non-signature-based detection strategy. This approach effectively counters the evasion tactics of Cobalt Strike, Brute Ratel, Mythic, and custom C2, significantly improving an organization's defense posture against one of today’s most elusive threats.
Objectives
Understand malleable C2 and why signature-based detection can't accurately detect it
Learn a set of novel signals that can be used to detect malleable C2 (robotic, repeated, anomalous, and fingerprint-based)
Show how you can build a robust detector with these signals
Background
Demo CobaltStrike and other malleable c2 frameworks operate
Demo why detecting them is hard
Building a modern detection system
Our approach to collecting data and focusing detection efforts
Examples of core signals
Architecture - how we combined anomaly detection with these signals
Efficacy Testing
How we configured a lab environment to generate and test 20k+ configs for 7 different C2 tools
How we measured success
Case Studies
We have been running this in production > 6 months now (and will be even longer at conference time) so we have updated stats on false positives and new case studies for beacons we have successfully detected
Ray is the Director of Netskope Threat Labs, a globally distributed team that specializes in cloud and network-focused threat research. His research background includes malware detection and classification, cloud app security, web security, sequential detection, and machine learning. Although his current focus is cybersecurity, his research has previously spanned other domains, including software anti-tamper and electronic warfare. In addition to his extensive research experience, Ray also has a background in education, teaching multiple math and programming courses during his academic career. He holds a Ph.D. in Electrical Engineering from Drexel University.