C2
Spyware
RedWarden is a Cobalt Strike Command and Control (C2) reverse proxy that helps penetration testers and red teams evade detection by intrusion response systems, antivirus software, endpoint detection and response (EDR) solutions, and network scanners. By analyzing and correlating packet inspection with malleable C2 profiles RedWarden ensures only legitimate beacon requests reach the team server and misdirects unauthorized or suspicious traffic.
RedWarden parses the supplied malleable C2 profile sections http-stager, http-get, http-post and their corresponding URIs, headers and user-agent strings. It validates inbound HTTP/S requests strictly according to the malleable profile’s contract and only forwards legitimate traffic to the team server. Any requests that don’t match the expected patterns are misdirected or dropped, making red team operations more stealthy and secure.
Detection Evasion
By mimicking Apache2’s behavior as a simple HTTP(S) reverse proxy RedWarden blends into normal network traffic making it hard for security tools to detect it. Its ability to unfilter or repair unexpected and unwanted HTTP headers added by intermediate systems (proxies and caches) helps to maintain the malleable C2 profile’s contract and reduce the chance of detection.
Deployment
RedWarden is written in Python and is available on GitHub as an open-source project. It’s lightweight and flexible, perfect for red teams to use during engagements.
Monitor the network for proxy activity.
Keep security tools up to date with the latest evasion techniques.
Test security to find and fix C2 communication channel weaknesses.
Train security teams on RedWarden to improve detection.
