Modern command-and-control (C2) implants employ encrypted channels, domain fronting, sleep obfuscation, and malleable communication profiles to evade signature-based and behavioral-rule-based detection systems. We observe that regardless of evasion sophistication, every C2 implant must interact with the host operating system — creating threads, allocating memory, opening sockets, triggering context switches — and that these interactions produce measurable perturbations in OS-level performance telemetry. We formalize this observation as a manifold detection problem: under normal operation, the system's state vector traces trajectories on a learned manifold; C2 activity forces the state off-manifold, producing a detectable distance. We propose The Wraith, a dual-layer detection framework comprising a supervised layer trained on known C2 signatures and an unsupervised layer that learns the normal-behavior manifold from raw OS telemetry alone, with an information barrier ensuring zero cross-contamination between layers. We specify twelve OS-level metric dimensions capturable via Event Tracing for Windows (ETW) and extended Berkeley Packet Filter (eBPF), analyze their feasibility at sub-second resolution with overhead under 3% CPU, and propose a rigorous blind validation protocol using Cohen's kappa and permutation testing to determine whether unsupervised manifold-distance detection independently corroborates supervised C2 identification. This paper contributes the mathematical formulation, a complete experimental design, and a falsifiable hypothesis. No experimental results are claimed. Empirical validation using Sliver, Cobalt Strike, Havoc, Mythic, Brute Ratel C4, and Merlin is planned for v2.
Jacob Parmenter (Tue,) studied this question.