{
	"id": "2c66b448-166f-4d8c-8d69-afdb365224c8",
	"created_at": "2026-04-06T01:30:47.793884Z",
	"updated_at": "2026-04-10T03:24:24.272054Z",
	"deleted_at": null,
	"sha1_hash": "e7ca7a472fed68132b4112288d78179955f11454",
	"title": "How to Identify Cobalt Strike on Your Network",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71458,
	"plain_text": "How to Identify Cobalt Strike on Your Network\r\nBy Zohar Buber\r\nPublished: 2020-11-18 · Archived: 2026-04-06 00:41:24 UTC\r\n5 Min Read\r\nSince its introduction, Cobalt Strike has become one of the most prevalent threat emulation software packages\r\nused by infosec red teams. Unfortunately, its combination of multiple exploitation techniques also makes Cobalt\r\nStrike a platform of choice by attackers.  \r\nIn the past several months, we've seen Cobalt Strike used in multiple exploits. In the WastedLocker ransomware\r\nattack, an advanced persistent threat (APT) group used Cobalt Strike to move laterally within a network. APT\r\ngroups also used Cobalt Strike in the military-themed malware campaign to target military and government\r\norganizations in South Asia. \r\nCommon antivirus (AV) systems, which focus on security data, often miss Cobalt Strike. The platform uses\r\nnumerous techniques to evade detection. Moreover, Cobalt Strike can be merged with other attack tools like\r\nMimikatz, Metasploit, and PowerShell Empire to move laterally across the network. \r\nBut there is good news for security professionals: Cobalt Strike has very distinct network markers. You can use\r\nthose markets to detect Cobalt Strike on your network. \r\nWhat's So Difficult About Detecting Cobalt Strike? \r\nCobalt Strike implements two main techniques to avoid detection by mainstream AV systems. It 1) obfuscates the\r\nshellcode and 2) leverages a domain-specific language called Malleable Command and Control (Malleable C2).\r\nLet's look at each one.\r\nTechnique #1\r\nAV systems today commonly implement sandboxing to detect executables. Sandboxing provides a separate\r\nenvironment to run and inspect suspicious executables. Cobalt Strike, though, hides shellcode over a named pipe.\r\nIf the sandbox doesn't emulate named pipes it will not find the malicious shellcode. In addition, the attacker can\r\nmodify and build his own techniques with Cobalt Strike Artifact Kit.\r\nTechnique #2\r\nIn post-exploitation, Cobalt Strike mimics popular services, such as Gmail, Bing, and Pandora, to evade detection.\r\nThe platform uses Malleable C2, which provides attackers with the ability to modify Cobalt Strike command-and-control (C2) traffic to their will. The attacker can then identify legitimate applications within the target\r\norganization, such as Amazon traffic, and modify the C2 traffic to appear as Amazon traffic using any number of\r\npublicly available profiles, like this one for Amazon on GitHub.  \r\nIn the screenshot below (Figure 1) you can see Cobalt Strike profile that fakes CNN video URI, and HTTP\r\nheaders like \"Host,\" \"Referer,\" and \"X-requested-With\" so the HTTP request will look like a request to CNN\r\nhttps://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network/a/d-id/1339357\r\nPage 1 of 3\n\nvideo.\r\nNetwork Indicators for Detecting Cobalt Strike \r\nTo identify Cobalt Strike, examine the network traffic. Since Cobalt Strike default profiles evade security\r\nsolutions by faking HTTPS traffic, you need to use TLS Inspection. Then isolate bot traffic and, once done,\r\nidentify the suspicious traffic by examining data within HTTPS requests. \r\nExamine Network Communications\r\nTo distinguish human-generated traffic from bot-generated traffic, we examine the frequency of communications\r\nto a target. Bot-generated traffic tends to be consistent and uniform, as you can see below at the flow frequency\r\ngraph. Human-generated traffic tends to vary over time, while machine-generated traffic tends to be almost\r\nuniformly distributed.\r\nJust because traffic is generated by a bot doesn't make it malicious, however. There are numerous good bots, such\r\nas OS updaters. You need to identify bots likely to be suspicious, and you can do that by digging into the traffic\r\nflow.\r\nExamine the User Agent\r\nLooking at the origin of the bot traffic, we inspect the user agent generating the TLS traffic. At first, the user agent\r\nlooks legitimate, allegedly generated by Mozilla/5.0 (Windows NT 6.1), the value for Internet Explorer (IE).\r\nHowever, user agents can easily be faked. Some machine learning algorithms derive the true user agent of packet\r\nflows and, in this case, flagged it as \"unidentified.\" The discrepancy gives us a strong indicator that we're likely\r\nlooking at malicious traffic. \r\nExamine the Destination \r\nNext, we examine the destination domain -- dukeid[.]com. For many, this point will be less conclusive. According\r\nto VirusTotal, we can see that less than 10% of the 83 AV engines (seven to be exact) tagged this domain as\r\nmalicious. However, vendor reputation models have classified as dukeid.com as malicious giving us another\r\nIndicator of Compromise (IoC) or network artifact likely indicating an intrusion. \r\nExamine the Host Header \r\nWe move on deeper into the packet and examine the HTTP host header, which in this case was www.amazon.com.\r\nHowever, traffic was directed to the domain, \"dukeid[.]com\". This gives us another powerful piece of evidence\r\nthat we're looking at Cobalt Strike as faking host header is part of Cobalt Strike's Amazon Profile.\r\nExamine the URI\r\nFinally, we examine the target uniform resource identifier (URI) of the flow. We see that URI matches one\r\nassociated with Cobalt Strike Malleable C2: \r\n/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books\r\nAlone, blocking the URI won't be effective. It's a fake Amazon URI and blocking it would also block traffic to\r\nlegitimate Amazon URIs. Hence the need to proceed through the steps outlined above.\r\nhttps://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network/a/d-id/1339357\r\nPage 2 of 3\n\nThe Malleable C2 module in Cobalt Strike is an advanced tool that allows attackers to customize beacon traffic\r\nand create covert communications. AV systems may not be enough to protect a network. Even after the threat had\r\nbeen identified and the customer notified, their AV systems were still unable to detect and remove the threat.\r\nFocusing on the malware's network characteristics, though, allowed the threat to be identified. It's an excellent\r\nexample of how combining networking and security information can lead to better threat detection.\r\nAbout the Author\r\nSecurity Analyst\r\nZohar Buber is a security analyst in Cato Research Labs at Cato Networks. He focuses on network protocol\r\nanalysis and malicious traffic detection, specializing in threat identification using network-based methods.\r\nSource: https://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network/a/d-id/1339357\r\nhttps://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network/a/d-id/1339357\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.darkreading.com/threat-intelligence/how-to-identify-cobalt-strike-on-your-network/a/d-id/1339357"
	],
	"report_names": [
		"1339357"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439047,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7ca7a472fed68132b4112288d78179955f11454.pdf",
		"text": "https://archive.orkl.eu/e7ca7a472fed68132b4112288d78179955f11454.txt",
		"img": "https://archive.orkl.eu/e7ca7a472fed68132b4112288d78179955f11454.jpg"
	}
}