Thursday
Room 4
13:40 - 14:40
(UTC+01)
Talk (60 min)
Protocol-Hopping C2: Transport-Agnostic Command & Control That Won't Die
Modern command-and-control (C2) frameworks don't just fall over when you block one protocol - they pivot, quietly but surely. The C2 brain, the intent and the goal stay the same, but the wire changes. If your detection strategy is married to ports or protocol signatures, then you're already behind - and at risk.
This talk will explore a small Python-based C2 lab with pluggable transports: the same controller/agent pair that can talk over ICMP payloads, DNS TXT records and HTTP headers, and automatically fails over to another protocol without changing its core logic when detection occurs.
The goal is not to show off yet another tunnel or a 'hey look, an ICMP data exfiltrator!', but to make the architectural pattern behind advanced tools like Cobalt Strike as painfully obvious as possible: C2 logic is transport-agnostic, indifferent, and ruthless, and protocol-centric defences are outdated.
Francine Solheim
Francine Solheim is a cybersecurity architect specialising in defensive architecture and weird tooling. She has worked on SOC augmentation, ISO 27001-driven security programmes and experimental monitoring tools, and is currently focused on piecing together enterprise-grade-but-still-open-source SIEM/SOAR solutions and making advanced attacker techniques understandable and reproducible for 'normal' engineering teams.