analyzing-cobalt-strike-malleable-profiles

Parses Cobalt Strike malleable C2 profiles using pyMalleableC2 to extract beacon configuration, HTTP communication patterns, and sleep/jitter settings. Combines with JARM TLS fingerprinting to detect C2 servers on the network. Use when investigating suspected Cobalt Strike infrastructure or building detection signatures for C2 traffic.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "analyzing-cobalt-strike-malleable-profiles" with this command: npx skills add mukul975/anthropic-cybersecurity-skills/mukul975-anthropic-cybersecurity-skills-analyzing-cobalt-strike-malleable-profiles

Analyzing Cobalt Strike Malleable Profiles

Instructions

Parse malleable C2 profiles to extract IOCs and detection opportunities using the pyMalleableC2 library. Combine with JARM fingerprinting to identify C2 servers.

from malleablec2 import Profile

# Parse a malleable profile from file
profile = Profile.from_file("amazon.profile")

# Extract global options (sleep, jitter, user-agent)
print(profile.ast.pretty())

# Access HTTP-GET block URIs and headers for network signatures
# Access HTTP-POST block for data exfiltration patterns
# Generate JARM fingerprints for known C2 infrastructure

Key analysis steps:

  1. Parse the malleable profile to extract HTTP-GET/POST URI patterns
  2. Extract User-Agent strings and custom headers for IDS signatures
  3. Identify sleep time and jitter for beaconing detection thresholds
  4. Scan suspect IPs with JARM to match known C2 fingerprint hashes
  5. Cross-reference extracted IOCs with network traffic logs

Examples

# Parse profile and extract detection indicators
from malleablec2 import Profile
p = Profile.from_file("cobaltstrike.profile")
print(p)  # Reconstructed source

# JARM scan a suspect C2 server
import subprocess
result = subprocess.run(
    ["python3", "jarm.py", "suspect-server.com"],
    capture_output=True, text=True
)
print(result.stdout)
# Compare fingerprint against known CS JARM hashes

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

analyzing-android-malware-with-apktool

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-cyber-kill-chain

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-certificate-transparency-for-phishing

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

analyzing-network-traffic-with-wireshark

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975