{
	"id": "7532f720-cf7d-4668-a5bb-40a0c96dc824",
	"created_at": "2026-04-06T00:10:04.298379Z",
	"updated_at": "2026-04-10T13:12:26.730034Z",
	"deleted_at": null,
	"sha1_hash": "1df285b34a90d4aa0a50202155d6d6ba360b4582",
	"title": "Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3380229,
	"plain_text": "Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles\r\nMake Cobalt Strike Difficult to Detect\r\nBy Chris Navarrete, Durgesh Sangvikar, Andrew Guan, Yu Fu, Yanhui Jia, Siddhart Shibiraj\r\nPublished: 2022-03-16 · Archived: 2026-04-05 16:16:02 UTC\r\nExecutive Summary\r\nCobalt Strike is commercial threat emulation software that emulates a quiet, long-term embedded actor in a\r\nnetwork. This actor, known as Beacon, communicates with an external team server to emulate command and\r\ncontrol (C2) traffic. Due to its versatility, Cobalt Strike is commonly used as a legitimate tool by red teams – but is\r\nalso widely used by threat actors for real-world attacks.\r\nCobalt Strike users control Beacon’s HTTP indicators through a profile, and can select either the default profile or\r\na customizable Malleable C2 profile.\r\nIn this blog post, we will go through the concepts and definitions associated with these profiles, and explore\r\ndifferences between default and customized Malleable C2 profiles used in the Cobalt Strike framework as well as\r\nin some true attacks in the wild. In doing so, we demonstrate how the Malleable C2 profile lends versatility to\r\nCobalt Strike, and why this versatility makes Cobalt Strike an effective emulator for which it is difficult to design\r\ntraditional firewall defenses.\r\nPalo Alto Networks customers receive protections against malicious uses of Cobalt Strike through Cortex XDR\r\nand the WildFire and Threat Prevention subscriptions for the Next-Generation Firewall.\r\nProfile Options for Cobalt Strike\r\nThe Cobalt Strike tool’s primary configuration is specified using a profile file. The tool uses the values present in\r\nthe profile to generate the Beacon payload, and users create the profile and set its values with a Malleable\r\nCommand and Control (C2) profile language.\r\nThe profile specifies how the beacon will transform and store data in a transaction.\r\nWithin a profile, options are divided into global options and local options. Global options update the global\r\nBeacon settings, while local options are transaction-specific. Local option changes within one transaction do not\r\naffect the output from other transactions.\r\nThe profile is divided into multiple sections to specify the values for different parts of the C2 communications. An\r\nexample of a generic structure of the profile is as follows:\r\n# this is a comment\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 1 of 15\n\nset global_option \"value\";\r\nprotocol-transaction {\r\n     set local_option \"value\";\r\n     client {\r\n          # customize client indicators\r\n     }\r\n     server {\r\n          # customize server indicators\r\n     }\r\n}\r\nDifferent parts of the profile are explained below.\r\nGlobal Options\r\nGlobal options are global to C2 communications. Options such as sleeptime and jitter define the frequency of\r\nBeacon’s check-in with the team server. Here is a list of a few global options with example values:\r\nset sample_name \"Profile Name\";\r\nset sleeptime \"30000\";\r\nset jitter    \"20\";\r\nset useragent \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/55.0.2883.87 Safari/537.36\";\r\nset host_stage \"false\";\r\nIf you are interested in a more comprehensive list of all the global options, refer to this Cobalt Strike user guide.\r\nLocal Options\r\nOn the other hand, the scope for local options is per transaction only. The options for one transaction do not affect\r\nthe other.\r\nExamples of Local options:\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 2 of 15\n\nset uri \"URI_For HTTP transaction\";\r\nset verb \"POST\";\r\nset uri_x86 \"StagetURI_for_x86\";\r\nset uri_x64 \"StagetURI_for_x64\";\r\nIn addition to these options, a profile can specify different protocol-transactions to carry out different actions.\r\nBelow are example transactions, as well as brief explanations of their usage:\r\nhttp-stager: The Beacon is a staged payload. The stager downloads the file and injects it into memory. The\r\nvalues listed in this transaction are customizing the HTTP communication for downloading the beacon.\r\ndns-beacon: After Cobalt Strike v4.3, DNS options became part of the dns-beacon transaction. This\r\ntransaction modifies the DNS C2 communication. If you are interested in a more comprehensive list of all\r\nthe dns-beacon options, refer to this Cobalt Strike user guide.\r\nhttp-get: The http-get transaction customizes the HTTP communication between the Beacon and the team\r\nserver. The Beacon starts by sending the HTTP request with metadata about the compromised system. If\r\nthe team server has tasks to execute, the server sends an HTTP response.\r\nhttp-post: Once the Beacon executes the tasks sent by the server, the output of the task is transferred in the\r\nhttp-post transaction. The values listed in this transaction affect the HTTP communication when the task\r\noutput is sent over to the server.\r\nhttps-certificate: If the Beacon is tasked to communicate over HTTPS, The team server generates a self-signed certificate. The team server uses http-get and http-post transaction values to create actual HTTP\r\nrequests and responses. This profile transaction can help to specify the different parameters for SSL\r\ncertificates. If you are interested in a more comprehensive list of all the http-certificates options, refer to\r\nthis Cobalt Strike user guide.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 3 of 15\n\nFigure 1. Cobalt Strike default profile.\r\nCobalt Strike Default Profile\r\nThe default profile will be loaded if no other customized profiles are specified. Figure 1, above, is the\r\nspecification of the default profile, and Figure 2, below, is an example of traffic capture from the default profile\r\nusing the web drive-by-download option in a Cobalt Strike team server.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 4 of 15\n\nFigure 2. An example traffic capture from the default profile.\r\nFrom Figure 2, you can see that there are several HTTP transactions of GET and POST requests and responses.\r\nFor GET requests, most of the request URIs are very short and have predefined patterns. The URIs are\r\nrandomly chosen from the list of URIs specified under set uri in the default profile in Figure 1 (see Table 1\r\nbelow for the complete list). Malicious attackers can easily modify the URI to arbitrary strings if they use a\r\ncustomized profile with set uri options inside the http-get section. This also explains why a pattern-based\r\nsignature might catch the Cobalt Strike traffic using default profiles very well, but fail to capture any\r\nvariations with customized profiles.\r\nFor POST requests, there is a predefined pattern – /submit.php?id= – in the URI. The ID value is randomly\r\ngenerated. Similar to the possibilities for HTTP GET requests, malicious attackers can easily modify the\r\nURIs to arbitrary strings if they use customized profiles with set uri options inside the http-post section.\r\nIndex URIs Index URIs Index URIs\r\n1 /ca 8 /fwlink 15 /push\r\n2 /dpixel 9 /cm 16 /ptj\r\n3 /__utm.gif 10 /cx 17 /j.ad\r\n4 /pixel.gif 11 /pixel 18 /ga.js\r\n5 /g.pixel 12 /match 19 /en_US/all.js\r\n6 /dot.gif 13 /visit.js 20 /activity\r\n7 /updates.rss 14 /load 21 /IE9CompatViewList.xml\r\nTable 1. Possible URIs specified in the Cobalt Strike default profile.\r\nCustomized Cobalt Strike Profiles\r\nPublic Malleable C2 profiles are available and can be downloaded in public repositories, such as from the official\r\nprofiles examples on GitHub. These profiles can be loaded by the team server and used as a Beacon download for\r\nC2 communications.\r\nAs an example, we walk through the etumbot profile to explain in more detail below.\r\n1. Global Options.\r\nSleeptime: The sleep time for the beacon callback is 5,000 milliseconds (5s).\r\nJitter: The jitter to set % is 0. In this example, the Beacon will call back every 5s because of the jitter value\r\n0.\r\nMaxdns: The maximum length of hostname is 255 when uploading data over DNS.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 5 of 15\n\nUserAgent: Set the HTTP C2 request useragent as \"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1;\r\nTrident/5.0)\"\r\nFigure 3. Global options in Etumbot profile.\r\n2. Beacon check-In to get task from teamserver with HTTP GET request.\r\nBelow the global options, we find the following option configurations about HTTP request and response. Figures\r\n4 and 5, below, show this configuration, which include URI, header and metadata information for both the client\r\nand the server.\r\nFigure 4. HTTP GET request options in Etumbot profile.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 6 of 15\n\nFigure 5. HTTP GET request in live traffic.\r\n3. Beacon task execution result submission to teamserver with HTTP POST request.\r\nWe can find the following option configuration about HTTP response from Figure 6 below, as well as what the\r\nPOST C2 traffic looks like in Figure 7.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 7 of 15\n\nFigure 6. HTTP POST request options in Etumbot profile.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 8 of 15\n\nFigure 7. HTTP POST request options in live traffic.\r\nCases in the Wild\r\nThe following sections show two different cases of Cobalt Strike payloads used in the wild: one using the default\r\noption (no profiles) and the other with a custom profile. Both samples have no trigger on VirusTotal at the time of\r\nthis writing, but Palo Alto Networks identified them using static and dynamic analysis.\r\nDefault Profile Sample\r\nSHA256 Hash: 6a6e5d2faeded086c3a97e14994d663e2ff768cb3ad1f5a1aa2a2b5fd344dde2\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 9 of 15\n\nFigure 8. Cobalt Strike HTTP GET Beacon download request.\r\nFigure 9. Cobalt Strike HTTP GET heartbeat request.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 10 of 15\n\nFigure 10. Cobalt Strike HTTP POST call-back request.\r\nAs seen in Figures 9 and 10, the GET and POST requests follow from the configuration options specified in the\r\ndefault profile. The GET request URI is /load (Figure 9), which is one of the default options for GET requests, and\r\nthe POST request URI is /submit.php (Figure 10), which is the default option for POST requests. If all Cobalt\r\nStrike traffic used these default URIs, it would be much easier to write signatures to identify Cobalt Strike traffic;\r\nhowever, these signatures would not be able to identify traffic originating from customized profiles, as shown in\r\nthe next example.\r\nCustomized Profile Sample\r\nSHA256 Hash: fcdc426289dab0e5a73cd6fbac928ad48a8ff9b67e1d37df2794af6e7fa559e9\r\nFigure 11. Cobalt Strike HTTP GET Beacon download request.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 11 of 15\n\nFigure 12. Cobalt Strike HTTP GET heartbeat request.\r\nFigure 13. Cobalt Strike HTTP POST call-back request.\r\nAs we can see in Figures 12 and 13, the GET and POST request URIs have changed from the default profile. Both\r\nof these URIs are prepended with /MicrosoftUpdate in order to seem like a legitimate HTTP request to Microsoft\r\nservers for regular Windows updates – but are actually request and response traffic from C2 servers. This is how\r\nCobalt Strike traffic from customized profiles can be so flexible and difficult to detect.\r\nCobalt Strike Beacon Configuration\r\nIn addition to the differences in GET and POST request parameters mentioned previously, Cobalt Strike Beacon\r\nconfiguration differs between default and custom profiles, and it contains useful metadata according to the settings\r\nin a Malleable C2 profile, which includes encoding types, blog submission mechanisms, instructions used to\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 12 of 15\n\nperform data transformations and other properties. By leveraging Didier Stevens’s 1768.py script, a researcher can\r\ndecode and extract Cobalt Strike Beacon configurations. Didier is a security researcher known for his\r\ndevelopment of several analysis tools and other security-related topics.\r\nFigure 14. Custom profile Beacon configuration Metadata.\r\nFigure 14 shows extracted configuration metadata for a custom profile Beacon. The most visible differences\r\nbetween a default profile and a custom profile Beacon configuration are the number of instructions and data\r\ntransformations, as well as the HTTP parameters used.\r\nThe table below shows the full list of differences between configuration metadata of the default and custom\r\nprofile samples found in the wild that were previously discussed.\r\nDefault Profile (Beacon /Iya9) Custom Profile (Beacon /api/1)\r\n0x000a post-uri\r\n0x0003 0x0040 '/submit.php'\r\n0x000b Malleable_C2_Instructions\r\n0x0003 0x0100\r\n  Transform Input: [7:Input,4]\r\n   Print\r\n0x000c http_get_header\r\n0x0003 0x0200\r\n  Build Metadata: [7:Metadata,3,6:Cookie]\r\n   BASE64\r\n   Header Cookie\r\n0x000d http_post_header\r\n0x0003 0x0200\r\n  Const_header Content-Type:\r\n0x000a post-uri\r\n0x0003 0x0040 '/MicrosoftUpdate/GetUpdate/KB'\r\n0x000b Malleable_C2_Instructions\r\n0x0003 0x0100\r\n  Transform Input: [7:Input,4]\r\n   Print\r\n0x000c http_get_header\r\n0x0003 0x0100\r\n  Const_header User-Agent: Mozilla/4.0 (Compatible; MSIE\r\n6.0;Windows NT 5.1)\r\n  Const_header Accept: */*, ..., ......, .\r\n  Build Metadata: [7:Metadata,11,5:tmp]\r\n   NETBIOS uppercase\r\n   Parameter tmp\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 13 of 15\n\napplication/octet-stream\r\n  Build SessionId: [7:SessionId,5:id]\r\n   Parameter id\r\n  Build Output: [7:Output,4]\r\n   Print\r\n0x000d http_post_header\r\n0x0003 0x0100\r\n  Const_header Content-Type: application/octet-stream\r\n  Const_header User-Agent: Mozilla/4.0 (Compatible; MSIE\r\n6.0;Windows NT 5.1)\r\n  Build SessionId: [7:SessionId,1:/default.asp,12]\r\n   Append /default.asp\r\n   Uri_append\r\n  Build Output: [7:Output,4]\r\n   Print\r\nTable 2. Default profile vs custom Profile configuration meta-data.\r\nConclusion\r\nCobalt Strike is a potent post-exploitation adversary emulator. The Malleable C2 profile detailed above is\r\nelaborate and is designed to evade security detections. A single security appliance is not equipped to prevent a\r\nCobalt Strike attack. Only a combination of security solutions – firewalls, sandboxes, endpoints and software to\r\nintegrate all these components can help prevent this kind of attack.\r\nPalo Alto Networks customers are protected from this kind of attack by the following:\r\n1. Next-Generation Firewalls (NGFWs) with Threat Prevention signatures 86445 and 86446 identify HTTP\r\nC2 requests with default profiles.\r\n2. WildFire, an NGFW security subscription identifies and blocks Cobalt Strike Beacon.\r\n3. AutoFocus users can track this activity using the CobaltStrike tags\r\nIndicators of Compromise\r\nCS Samples\r\n6a6e5d2faeded086c3a97e14994d663e2ff768cb3ad1f5a1aa2a2b5fd344dde2\r\nfcdc426289dab0e5a73cd6fbac928ad48a8ff9b67e1d37df2794af6e7fa559e9\r\nCS Beacon Samples\r\n/Iya9\r\n08e901d4ed0b43b46e632158f5ec5e900f16015e18995a875f62903a3c1eb1f9\r\n/api/1\r\nd8b385d680bcdf7646f35df612712f7a3991f50a21cac8379630d05b3d2337ae\r\nCS Team Server Domain\r\nwww.symantecav[.]xyz\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 14 of 15\n\nCS Team Server IP addresses\r\n66.42.72[.]250\r\n146.0.77[.]110\r\nSource: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/\r\nPage 15 of 15\n\n https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/  \nFigure 8. Cobalt Strike HTTP GET Beacon download request.\nFigure 9. Cobalt Strike HTTP GET heartbeat request.\n   Page 10 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/"
	],
	"report_names": [
		"cobalt-strike-malleable-c2-profile"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434204,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1df285b34a90d4aa0a50202155d6d6ba360b4582.pdf",
		"text": "https://archive.orkl.eu/1df285b34a90d4aa0a50202155d6d6ba360b4582.txt",
		"img": "https://archive.orkl.eu/1df285b34a90d4aa0a50202155d6d6ba360b4582.jpg"
	}
}