Threat Research

Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect

Securonix

Cobalt Strike’s Beacon uses customizable Malleable C2 profiles to shape how it talks to its team server, enabling realistic emulation and evasion of detection. The article contrasts the default profile with customized profiles, showing how URI patterns, headers, and metadata can be altered (including MicrosoftUpdate-like traffic) to complicate detection and highlighting real-world cases and defenses.
#CobaltStrike #Beacon #MalleableC2 #Etumbot #DidierStevens #MicrosoftUpdate #SymantecAVXYZ #DNSBeacon

Keypoints

  • The post explains that Cobalt Strike is a threat emulation tool used both by blue-team defenders and real attackers, with Beacon acting as the embedded C2 component.
  • Profiles (global vs. local options) control how Beacon communicates, including the frequency of check-ins and the specific HTTP/DNS indicators used.
  • The default profile uses predefined URI patterns, but customized profiles can alter URIs, UA strings, metadata, and data transformations to evade pattern-based detections.
  • Examples show how HTTP GET/POST traffic is structured and how URIs like /load and /submit.php appear in default traffic, while customized profiles can use different URIs.
  • Public profiles like Etumbot illustrate global options and HTTP transaction customization, including headers, metadata encoding, and task delivery/response flows.
  • Cases in the wild demonstrate both default and customized profiles, with customized traffic capable of masquerading as legitimate traffic (e.g., MicrosoftUpdate) to blend in with normal activity.
  • Didier Stevens’s 1768.py script can decode Beacon configurations, revealing differences in instructions and data transformations between profiles.

MITRE Techniques

  • [T1071.001] Web Protocols – Beacon traffic via HTTP GET/POST to the team server; “Beacon check-In to get task from teamserver with HTTP GET request.”
  • [T1071.004] DNS – DNS-based C2 navigation; “After Cobalt Strike v4.3, DNS options became part of the dns-beacon transaction.”
  • [T1132] Data Encoding – Metadata and payloads encoded/transformed; “Build Metadata: [7:Metadata,… BASE64]”
  • [T1041] Exfiltration Over C2 Channel – Task outputs sent back to the server; “The output of the task is transferred in the http-post transaction.”
  • [T1036] Masquerading – URIs are manipulated to resemble legitimate update traffic; “Both of these URIs are prepended with /MicrosoftUpdate … to seem like a legitimate HTTP request to Microsoft servers.”

Indicators of Compromise

  • [SHA-256] CS Sample – 6a6e5d2faeded086c3a97e14994d663e2ff768cb3ad1f5a1aa2a2b5fd344dde2
  • [SHA-256] CS Sample – fcdc426289dab0e5a73cd6fbac928ad48a8ff9b67e1d37df2794af6e7fa559e9
  • [SHA-256] CS Beacon Sample /Iya9 – 08e901d4ed0b43b46e632158f5ec5e900f16015e18995a875f62903a3c1eb1f9
  • [SHA-256] CS Beacon Sample /api/1 – d8b385d680bcdf7646f35df612712f7a3991f50a21cac8379630d05b3d2337ae
  • [Domain] CS Team Server Domain – www.symantecav[.]xyz
  • [IP Address] CS Team Server IP – 66.42.72[.]250
  • [IP Address] CS Team Server IP – 146.0.77[.]110
  • [URI Path] Default GET – /load
  • [URI Path] Default POST – /submit.php
  • [URI Path] Customized GET – /MicrosoftUpdate/GetUpdate/KB
  • [HTTP User-Agent] Original – Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
  • [HTTP User-Agent] Altered – Mozilla/4.0 (Compatible; MSIE 6.0;Windows NT 5.1)

Read more: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/