Malleable C2 Cobalt Strike

Hi Hackers,

I want to discuss creating a cobalt strike malleable C2 profile that handles the beacon connection. By setting up it properly, we can manipulate the beacon connection into trustworthiness by the security devices. There are a lot of profile available on the internet available that you can use

Cobalt strike beacon will communicate with the server using http-post and http-get and http-post

How to Write Malleable C2 Profiles for Cobalt Strike

with the C2 profile, we can arrange our http communication to mimic legitimate http traffic, We can mimic our traffic looks like google.com, amazon.com and many other traffic to evade the detection

The http-get

from the above picture we can see two blocks client and server. We can setup what the http header and parameter will look like in order to evade our beacon communication. Lets analyse this in the http debugger

Request Details

Response Details

we can see from both screenshot above the mapping that we can use to evade the connection.

The HTTP-Post

Request Details

Response Details

Beacon will use HTTP-post to submit data to the server. Although we can see that the domain is rioasmara.com, the actual IP is my local IP. So if the defender is not careful in assessing the traffic, then it will look legitimate

We can see below that Cobalt Strike beacon downloading Mimikatz from the server and sending the result via http-post

Sending the result back to the server.

Cobalt strike gives some freedom for you to craft your C2 profile. You can mimic legitimate traffic as you want. This would make the evasion even better because it is tough to differentiate the beacon traffic and normal traffic.

Sample of Hash Dump mimicking Gmail traffic profile

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s