One of the Core tenets of Cobalt Strike’s development philosophy is to continue to add flexibility to the product to allow the operator to use the product in a way that suits their needs. Do you want to be evasive and cover your tracks? Emulate an APT? Be noisy to see whether your blue team will notice and catch you? Cobalt Strike is built to adapt.
Malleable Command and Control
Cobalt Strike creator Raphael Mudge introduced Malleable C2 way back in 2014 when he debuted Cobalt Strike 2.0. It was a groundbreaking feature at the time and has been emulated by numerous other C2 frameworks since then. Imitation really is the sincerest form of flattery!
Simply put, a Malleable C2 profile is a program that specifies how to transform data and store it in a transaction. The same process is used to extract and recover data from a transaction. The Malleable C2 profile is used to set various default values, such as how often Beacon checks in and what its memory footprint looks like. It is also used to control Beacon’s network traffic indicators, allowing you to dictate exactly how you want Cobalt Strike’s traffic to look. A few scenarios may include:
Blending in on Target
An operator can configure a Malleable C2 profile to disguise Beacon’s network signatures to blend in with typical traffic on a target network. This would usually mean making Beacon’s communications with the team server look like the innocuous requests of an average user accessing web applications. This approach is beneficial for ensuring this traffic blends in smoothly with other network activities during peak times, while also remaining inconspicuous on a quieter network.
Emulate Known APT Network Traffic Indicators
Malleable C2 can also be modified as a means of testing the detection skills of a target’s existing defences. By having red teams replicate the behaviours of known adversaries, blue teams can benchmark their capabilities against genuine threat actors. This helps identify whether their security measures are sufficient to detect and mitigate real-world threats.
Increase Noise
Cobalt Strike’s flexibility enables a variety of different use cases, including deliberately being noisy to see whether a blue team will catch them. Just as C2 profiles can be modified to help Beacon’s communications blend in with traffic, they can also be configured to make those communications stand out and test the blue team’s detection capabilities in a different way. Similarly, changing default values for the SMB pipe name or the default host process for Beacon can also increase (or decrease) noise.
Error Checking
Cobalt Strike ships with a small program known as c2lint. When executed, it will check the syntax of a Malleable C2 profile, apply a few checks and do some other unit testing. It will let you know whether there are any errors or anything else that needs to be addressed before you put it into play on an engagement.
Profile Syntax and Getting Started
The Malleable C2 profile syntax is fully documented within the Cobalt Strike documentation. While new profiles can be made from scratch, operators can also modify an existing profile, tailoring it for a specific engagement. There are lots of examples to be found, including ones published by our community members as well as a number of examples in the public Cobalt Strike GitHub. A 2018 blog post by Joe Vest and accompanying GitHub repository (which is still actively maintained) are also useful resources.