Malleable C2 Profiles and You
Understanding Cobalt Strike's Malleable C2 profiles - how attackers customize traffic and how defenders can detect it.
Originally published on Medium
Read the full article: Malleable C2 Profiles and You
What are Malleable C2 Profiles?
Malleable C2 lets Cobalt Strike operators customize:
- HTTP headers
- URI patterns
- Data encoding
- Traffic timing
- SSL/TLS certificates
This makes C2 traffic blend with legitimate traffic.
Profile Anatomy
http-get {
set uri "/api/v1/users";
client {
header "Accept" "application/json";
metadata {
base64url;
header "Authorization";
}
}
server {
header "Content-Type" "application/json";
output {
base64;
print;
}
}
}Common Masquerades
Profiles often impersonate:
- Cloud services (AWS, Azure, GCP)
- CDNs (Cloudflare, Akamai)
- Legitimate APIs
- Popular websites
Detection Strategies
JA3/JA3S Fingerprinting
TLS fingerprints can identify Cobalt Strike even with custom profiles.
Behavioral Analysis
- Beacon timing patterns
- Metadata size consistency
- Response/request ratios
Known Profile Indicators
index=proxy
| where match(uri, "/api/v1/users|/cloud/sync|/update/check")
| stats count by src_ip, uri, user_agentCertificate Analysis
Self-signed or suspicious certificates.
Defense Recommendations
- Deploy JA3 fingerprinting
- Monitor for beacon timing
- Analyze HTTP anomalies
- Use threat intel for known profiles
Read the full analysis: Malleable C2 Profiles and You
Related Modules
Atomics on a Friday
Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.
Bootloaders.io
A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.