Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Cobalt Strike is associated with pen testing, security assessments, and sometimes persistent, planned attacks. Malleable C&C profiles for configuring C&C traffic are publicly available and well known. Through a persistent C&C channel, an attacker can remotely control a device and gain an entry point for further attacks on the network.
Kill Chain
Risk Score
60
-LT.png&w=1080&q=75)
Cobalt Strike is an attack toolkit that is often associated with malicious activity. The Cobalt Strike Malleable C&C component enables an attacker to disguise C&C communications as legitimate traffic from the Cobalt Strike Beacon agent, which is installed on the victim device. The disguised C&C communications are configured with a Malleable C&C profile. The profile is a domain-specific language file that specifies both the HTTP request and response indicators and how to encode data. For example, the victim sends an HTTP GET request to the attacker with encrypted metadata. The C&C server responds with a task such as "sleep" or "run command". Based on the profile specifications, the command output is then encrypted within another request, such as an HTTP POST request.
