RedGuard is a C2 front flow control tool designed for red team operations to evade detection by blue teams, AVs, and EDRs. It offers a lightweight, efficient, and reliable solution for hiding C2 channels by managing traffic flow, blocking analysis traffic, and obfuscating communication.

How It Works

RedGuard operates as a reverse proxy, intercepting and manipulating network traffic to disguise C2 communications. It employs techniques such as randomizing TLS JARM fingerprints, forging TLS certificates, and parsing Malleable C2 profiles to mimic legitimate traffic. The tool can block analysis traffic based on JA3 fingerprints, IP blacklists, time restrictions, and custom sample fingerprints, while also supporting domain fronting and load balancing for enhanced stealth.

Quick Start & Requirements

• Install via git clone https://github.com/wikiZ/RedGuard.git and go build -ldflags "-s -w" -trimpath.
• Requires Go programming language.
• Configuration is managed via a .RedGuard_CobaltStrike.ini file.
• Official documentation and usage examples are available in the README.

Highlighted Details

• Evades detection by Blue Teams, AVs, and EDRs.
• Supports Malleable C2 Profiles 4.0+.
• Implements JA3 fingerprint recognition for sandbox evasion.
• Offers IP-based geographic restrictions and time-based access control.
• Can hijack responses or redirect traffic to honeypots.

Maintenance & Community

The project is actively developed by "风起" (Feng Qi), who has authored several related articles and presented at security conferences. Community interaction is encouraged via GitHub issues.

Licensing & Compatibility

The repository does not explicitly state a license in the README. Compatibility for commercial use or closed-source linking is not specified.

Limitations & Caveats

The README does not specify a license, which may impact commercial adoption. While extensive, some advanced features like honeypot integration rely on specific configurations and external tools.