Evasion Techniques Overview

Overview

The C2 Framework provides a layered evasion system designed to reduce the detectability of beacon traffic and avoid network monitoring, behavioral analysis, and signature-based detection systems. Evasion techniques work together across three dimensions:

Temporal Evasion

Beacon timing randomization using jitter strategies

Traffic Obfuscation

Payload size randomization through padding

Header Polymorphism

HTTP header randomization and rotation

Evasion Architecture

All evasion features are controlled through a unified traffic profile system that allows operators to select pre-configured evasion levels or create custom profiles.

# Source: evasion/profile_config.yaml
active_profile: medium

profiles:
  baseline:   # No evasion - fixed timing, no padding, static headers
  low:        # Light evasion - 10% jitter, light padding, UA rotation
  medium:     # Moderate evasion - 20% jitter, medium padding, multi-header rotation
  high:       # Aggressive evasion - 40% gaussian jitter, heavy padding, full randomization

Profile Selection Trade-offs: Higher evasion levels provide better stealth but increase bandwidth usage and may introduce timing delays. Select profiles based on your operational security requirements and network environment.

Evasion Components

1. Jitter Strategies

Control beacon timing randomization to avoid predictable check-in patterns.

Uniform Jitter: Flat random distribution within ±jitter_pct of base interval
Gaussian Jitter: Bell-curve distribution for more natural timing variance

Implemented in: evasion/sleep_strat.py:8-33

2. Traffic Padding

Add random bytes to beacon payloads to obscure actual message sizes and defeat size-based fingerprinting.

Dynamic Padding: Random padding between min/max thresholds per request
Length Prefix Protocol: 2-byte header encodes padding length for strip operation
Cryptographic Randomness: Uses os.urandom() for unpredictable pad bytes

Implemented in: evasion/padding_strat.py:8-40

3. Header Randomization

Rotate and randomize HTTP headers across four levels:

Level	User-Agent	Accept-Language	Accept-Encoding	Header Order
0	Fixed Chrome	Fixed en-US	Fixed gzip	Fixed
1	Rotated	Fixed en-US	Fixed gzip	Fixed
2	Rotated	Rotated	Fixed gzip	Fixed
3	Rotated	Rotated	Rotated	Shuffled

Implemented in: evasion/header_randomizer.py:32-76

Traffic Profiles

The framework includes four pre-configured profiles:

baseline - No Evasion

jitter_pct:   0        # No timing variance
strategy:     uniform
padding_min:  0        # No padding
padding_max:  0
header_level: 0        # Fixed headers

Use Case: Testing, controlled environments, maximum performance

low - Light Evasion

jitter_pct:   10       # ±10% timing variance
strategy:     uniform
padding_min:  0
padding_max:  64       # Up to 64 bytes padding
header_level: 1        # User-Agent rotation

Use Case: Minimal stealth requirements, bandwidth-constrained environments

medium - Moderate Evasion (Default)

jitter_pct:   20       # ±20% timing variance
strategy:     uniform
padding_min:  0
padding_max:  128      # Up to 128 bytes padding
header_level: 2        # UA + Accept-Language rotation

Use Case: Standard operations, balanced stealth and performance

high - Aggressive Evasion

jitter_pct:   40       # ±40% timing variance
strategy:     gaussian # Natural bell-curve distribution
padding_min:  64       # Minimum 64 bytes padding
padding_max:  256      # Up to 256 bytes padding
header_level: 3        # Full header randomization + shuffling

Use Case: High-security environments, advanced threat detection present

Loading Profiles

Profiles are loaded at beacon initialization from evasion/profile_config.yaml:

from transport.traffic_profile import load_active_profile, load_profile

# Load the active profile (defined in YAML)
profile = load_active_profile()

# Or load a specific profile by name
profile = load_profile('high')

print(f"Using profile: {profile.name}")
print(f"Jitter: {profile.jitter_pct}% ({profile.jitter_strategy})")
print(f"Padding: {profile.padding_min}-{profile.padding_max} bytes")
print(f"Header level: {profile.header_level}")

See: transport/traffic_profile.py:72-110

Detection Avoidance

Each evasion technique targets specific detection methods:

Timing Analysis

Threat: Predictable beacon intervals detected by NetFlow analysisMitigation: Jitter strategies break fixed timing patterns

Size Fingerprinting

Threat: Consistent payload sizes create detectable signaturesMitigation: Random padding obscures actual message lengths

Header Signatures

Threat: Static User-Agent or header combinations flagged by IDSMitigation: Header randomization mimics diverse legitimate traffic

Behavioral Analysis

Threat: ML-based detection identifies non-human traffic patternsMitigation: Gaussian jitter + header shuffling mimics organic browsing

Operational Security Guidelines

Profile Selection: Changing profiles mid-operation may create detectable pattern shifts. Select the appropriate profile before deployment and maintain it throughout the operation.

Recommended Profile Selection

Low-Risk Environments → low or medium profile
- Corporate networks with basic monitoring
- Bandwidth-sensitive operations
- Long-term persistence scenarios
High-Risk Environments → high profile
- Government/military networks
- Financial institutions
- Environments with advanced EDR/NDR solutions
Testing/Development → baseline profile
- Local testing
- Performance benchmarking
- Debugging beacon communication

Next Steps

Jitter Strategies

Deep dive into timing randomization algorithms

Traffic Padding

Learn payload padding implementation details

Header Randomization

Understand HTTP header polymorphism

Traffic Profiles

Configure custom evasion profiles

Overview

Getting Started

Core Concepts

Deployment

Operator Guide

Evasion Techniques

Telemetry & Analysis

Evasion Techniques Overview

Overview

Temporal Evasion

Traffic Obfuscation

Header Polymorphism

Evasion Architecture

Evasion Components

1. Jitter Strategies

2. Traffic Padding

3. Header Randomization

Traffic Profiles

Loading Profiles

Detection Avoidance

Timing Analysis

Size Fingerprinting

Header Signatures

Behavioral Analysis

Operational Security Guidelines

Recommended Profile Selection

Next Steps

Jitter Strategies

Traffic Padding

Header Randomization

Traffic Profiles

Build docs developers (and LLMs) love

Overview

Getting Started

Core Concepts

Deployment

Operator Guide

Evasion Techniques

Telemetry & Analysis

​Overview

Temporal Evasion

Traffic Obfuscation

Header Polymorphism

​Evasion Architecture

​Evasion Components

​1. Jitter Strategies

​2. Traffic Padding

​3. Header Randomization

​Traffic Profiles

​Loading Profiles

​Detection Avoidance

Timing Analysis

Size Fingerprinting

Header Signatures

Behavioral Analysis

​Operational Security Guidelines

​Recommended Profile Selection

​Next Steps

Jitter Strategies

Traffic Padding

Header Randomization

Traffic Profiles

Build docs developers (and LLMs) love

Overview

Evasion Architecture

Evasion Components

1. Jitter Strategies

2. Traffic Padding

3. Header Randomization

Traffic Profiles

Loading Profiles

Detection Avoidance

Operational Security Guidelines

Recommended Profile Selection

Next Steps