Member-only story
[RedTeam] Cobalt Strike 4.0+ Malleable C2 Profile Guideline
Published in
7 min readApr 6, 2020
We are now in Cobalt Strike 4.0+ era. As we are using Cobalt Strike as command and control (“C2”) server more and more, customizing your malleable C2 profile is becoming imperative to disguise your beacon traffics and communication indicators. Additionally it can also control in-memory characteristics and beacon process injection behaviors.
Full guideline profile can be found here (CS4.0_guideline.profile). It contains more details/instructions to craft the Malleable C2 profiles.
# Cobalt Strike 4.0+ Guideline Profile
#
# References:
# * https://www.cobaltstrike.com/help-malleable-c2
# * https://www.cobaltstrike.com/help-malleable-postex
#Global Option Block
set sample_name "bigb0ss.profile";
# Profile name (used in the Indicators of Compromise report)set sleeptime "30000";
# Sleep time for the beacon callback (in milliseconds)set jitter "50";
# Jitter to set %. In this example, the beacon will callback
between 15 and 30 sec jitterset host_stage "[true|false]";
# Staged payload allow or disallow (Note: Stager payloads are
generally easier to get caught, but it's necessary for the space-
restricted situations)set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177";
# User-Agent Setup
DNS Beacon Block
set dns_idel "8.8.8.8";
# IP to indicate no tasks available. Avoid using bogon address
"0.0.0.0" (This can be picked up as IOC)set maxdns "[0-255]";
# Maximum length of hostname when uploading data over DNS (0-255)set dns_sleep "1000";
# Force a sleep prior to each individual DNS request.
(in milliseconds)
