A trained eye could spot some of the Malleable profiles that exist on freely available resources such as Raphael Mudge’s list on his GitHub page. On the right column, we show the URLs that the Cobalt Strike payloads were configured to query.
#Cobalt strike beacon what is it generator
Many free, open-source randomizer scripts exist to create a unique profile such as Random C2 Profile Generator by, Malleable-C2-Randomizer by and C2concealer by are some of the Cobalt Strike C2 servers that we observed during intrusions. All these different fields provide control and flexibility over the indicators of the C2 channel. We added comments to the profile above to explain the numerous fields operators can change to customize the profile to their needs. #uri-append <= # Adding a specific string in the URI. #header "Cookie" <= # Adding a specific string within a specific header. Parameter "file" <= # Adding a parameter to the URI. You may choose one of these termination statement methods. # Termination statements: This statement tells Beacon and its server wherein the transaction to store the transformed data. #prepend "TEST123" <= # Choosing a string to prepend to the transmitted dataĪppend ".php" <= # Choosing a string to append #netbiosu <= # Another variation of netbios encoding #netbios <= # Encoding data as netbios in lower case #mask <= # Encrypting and encoding the data with XOR mask and random key #base64 <= # Base64 encoded stringīase64url <= # URL safe Base64 encoded string The operators may choose to enable additional fields that will include data on the C2 communication. # Metadata corresponds to the information that the beacon is sending to the C2 server about itself. Header "Host" "" <= # Setting the header specific to client communication with the C2. Set verb "POST" <= # Setting the verb when requesting available tasks from the C2 server. Set sleeptime "0" " " " " " " " " <= # Specifying the URI to reference in bidirectional communication from client and server The reference profile below is taken from Raphael Mudge’s GitHub repository. Below you can find information related to some of the most important fields that could throw off an analyst while investigating a Cobalt Strike network communication: Our other post touched on Malleable C2 profiles and how threat actors use them however, that was just some of their many applications. This is made possible thanks to Malleable C2 profiles.
Before we get into that part, we should first discuss what makes Cobalt Strike so versatile.Ĭobalt Strike’s versatility comes from the ability to change the indicators with each payload. There are a couple of factors that we can utilize to fingerprint any suspicious traffic and subsequent infrastructure.
#Cobalt strike beacon what is it how to
This article will demonstrate how to detect this communication before threat actors accomplish their objectives. Malware has to contact its C2 server if it is to receive further instructions. We cover topics such as domain fronting, SOCKS proxy, C2 traffic, Sigma rules, JARM, JA3/S, RITA & more.Īs with our previous article, we will highlight the common ways we see threat actors using Cobalt Strike.īig shout-out to for helping put this Part 2 together! Also thanks to, and for reviewing this report.Įven though network monitoring and detection capabilities do not come easy for many organizations, they can generally offer a high return on investment if implemented correctly. In this report, we will focus on the network traffic it produced, and provide some easy wins defenders can be on the look out for to detect beaconing activity.
Our previous report on Cobalt Strike focused on the most frequently used capabilities that we had observed.