C2 and IDS/IPS evasion

Pentesting frameworks, such as Cobalt Strike and Empire, offer Command and Control (C2) profiles. These profiles allow fine-tuning of variables to evade IDS/IPS systems:

  • User-Agent: The tool or framework you are using can expose you via its default-set user-agent. It is always important to set the user-agent to something innocuous and test it to confirm your settings.

  • Sleep Time: The sleep time allows you to control the callback interval between beacon check-ins. In other words, you can control how often the infected system will attempt to connect to the control system.

  • Jitter: This variable lets you add some randomness to the sleep time, specified by the jitter percentage. A jitter of 30% results in a sleep time of ±30% to further evade detection.

  • SSL Certificate: Using authentic-looking SSL certificates will significantly improve chances of evading detection. A worthy investment of time.

  • DNS Beacon: Consider the case when you are using DNS protocol to exfiltrate data. You can fine-tune DNS beacons by setting the DNS servers and the hostname in the DNS query. The hostname will be holding the exfiltrated data.

Using such a framework, it is worth creating a custom profile instead of relying on a default one.