Cobalt Strike and Malleable C2 Profiles

As you know, Cobalt Strike is a commercial tool. Like most things it can be used for positive or negative purposes. When it comes to detection logic, signatures, and alert–we’re not here to talk about the “good uses”. Cobalt Strike is a tool that out-of-the-box supports covert channels for data exfiltration. This means it’ll purposefully mask whatever traffic it wants as another type of traffic to try to slip-up detection and monitoring efforts.

We often see Cobalt Strike as the interim step between droppers and ransomware. So how do we detect this on the network as part of defense in depth? Of course at Proofpoint we work every day to prevent this happening at all. But what if some customers only have ETPRO/IDS?

When deployed Cobalt Strike beacons out. It can be made to attempt exfiltration. Since it has the ability to obfuscate its traffic to appear as legitimate, we have the ability to create detections based on known profiles that are used for those purposes. Cobalt Strike has a feature to use different command and control profiles mimicking legitimate traffic. Plainly, that gives the ability to change the beacon information to look like just about anything. As a commercial tool that’s supposed to be for legitimate purposes some of this capability is publicly available.

In practice, we find these profiles, we examine these profiles, we model these profiles, and then we write detections against them. Multiple profiles like this can be found on github. Analysis of that code gives us some good artifacts to write signatures on proactively.

Here’s a sampling of some of our ET Open Cobalt Strike Malleable C2 signatures:

2032748: Cobalt Strike Malleable C2 Webbug Profile

2032749: Cobalt Strike Malleable C2 Amazon Profile

2032750: Cobalt Strike Malleable C2 OCSP Profile

2028588: [TGI] Cobalt Strike Malleable C2 Request (O365 Profile)

2028589: [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2

2028590: [TGI] Cobalt Strike Malleable C2 Response (YouTube Profile)

2028591: [TGI] Cobalt Strike Malleable C2 Request (YouTube Profile)

2029381: Cobalt Strike Malleable C2 Request (Stackoverflow Profile)

2029740: Cobalt Strike Malleable C2 (Havex APT)

2029741: Cobalt Strike Malleable C2 (Magnitude EK)

2029742: Cobalt Strike Malleable C2 (Meterpreter)

2029743: Cobalt Strike Malleable C2 (OneDrive)

2029744: Cobalt Strike Malleable C2 (Adobe RTMP)

2032751: Cobalt Strike Malleable C2 (jquery Profile)

2030347: Cobalt Strike Malleable C2 (Safebrowse Profile) GET

2030344: Cobalt Strike Malleable C2 (Safebrowse Profile) POST

2030349: Observed Malicious SSL Cert (Cobalt Strike Malleable C2 Domain)

2032746: Cobalt Strike Malleable C2 (QiHoo Profile)

2032752: Cobalt Strike Malleable C2 (Microsoft Update GET)

2033658: Cobalt Strike Malleable C2 JQuery Custom Profile M2

2032747: Cobalt Strike Malleable C2 (MSDN Query Profile)

2028831: Hash - Suspected Cobalt Strike Malleable C2 M1 (set)

2028832: Hash - Suspected Cobalt Strike Malleable C2 (ja3s) M1

2029977: Cobalt Strike Malleable C2 (Custom)

2029978: Cobalt Strike Malleable C2 (Custom)

2032754: Cobalt Strike Malleable C2 (TrevorForget Profile)

2032953: Cobalt Strike Malleable C2 (Unknown Profile)

2032956: Cobalt Strike Malleable C2 (Unknown Profile)

2032957: Cobalt Strike Malleable C2 (Unknown Profile)

2032964: Cobalt Strike Malleable C2 Profile (btn_bg)

2032965: Cobalt Strike Malleable C2 Profile (__session__id Cookie)

2032966: Cobalt Strike Malleable C2 Profile (bg)

2032975: Cobalt Strike Malleable C2 Profile (Teams) M1

2032976: Cobalt Strike Malleable C2 Profile (Teams) M2

2033008: Cobalt Strike Malleable C2 JQuery Custom Profile M3

2033009: Cobalt Strike Malleable C2 JQuery Custom Profile Response

2034868: NOBELIUM - Cobalt Strike Malleable Profile M1

2035216: NOBELIUM - Cobalt Strike Malleable Profile M2

2032756: Cobalt Strike Malleable C2 (WooCommerce Profile)

2032757: Cobalt Strike Malleable C2 (WooCommerce Profile)

2032755: Cobalt Strike Malleable C2 (Wordpress Profile)

2033141: Cobalt Strike Malleable C2 (WooCommerce Profile)

2033148: Cobalt Strike Malleable C2 Profile (extension.css)

2033158: Cobalt Strike Malleable C2 Profile wordpress_ Cookie Test

2033796: Cobalt Strike Malleable C2 (Custom Profile)

2034463: Cobalt Strike Malleable C2 JQuery Custom Profile M5

2037096: Cobalt Strike Malleable C2 Amazon Profile Variant (GET)

2037154: Cobalt Strike Malleable C2 JQuery Custom Profile M6

2034084: Cobalt Strike Malleable C2 Amazon Profile POST (JPEG)

2034085: Cobalt Strike Malleable C2 Amazon Profile POST (PNG)

2034086: Cobalt Strike Malleable C2 Amazon Profile POST (RIFF)

2037844: Cobalt Strike Malleable C2 Beacon (Custom)

1 Like