Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Cobalt Strike is associated with pen testing, security assessments, and sometimes persistent, planned attacks. Malleable C&C profiles for configuring C&C traffic are publicly available and well known. Through a persistent C&C channel, an attacker can remotely control a device and gain an entry point for further attacks on the network.
Kill Chain
Risk Score
60
Cobalt Strike is an attack toolkit that is often associated with malicious activity. The Cobalt Strike Malleable C&C component enables an attacker to disguise C&C communications as legitimate traffic from the Cobalt Strike Beacon agent, which is installed on a victim device. The disguised C&C communications are configured with a Malleable C&C profile. The profile is a text file that specifies the parameters for the TLS certificate installed on the C&C server. After the victim establishes a successful TLS connection with the C&C server, the victim and C&C server exchange a series of HTTP requests and responses. HTTP responses from the C&C server include tasks, such as "sleep" or "run command". HTTP requests from the victim include encrypted information such as metadata or command output.
