analyzing-cobaltstrike-malleable-c2-profiles

Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "analyzing-cobaltstrike-malleable-c2-profiles" with this command: npx skills add mukul975/anthropic-cybersecurity-skills/mukul975-anthropic-cybersecurity-skills-analyzing-cobaltstrike-malleable-c2-profiles

Analyzing CobaltStrike Malleable C2 Profiles

Overview

Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates with the team server, defining HTTP request/response transformations, sleep intervals, jitter values, user agents, URI paths, and process injection behavior. Threat actors use malleable profiles to disguise C2 traffic as legitimate services (Amazon, Google, Slack). Analyzing these profiles reveals network indicators for detection: URI patterns, HTTP headers, POST/GET transforms, DNS settings, and process injection techniques. The dissect.cobaltstrike library can parse both profile files and extract configurations from beacon payloads, while pyMalleableC2 provides AST-based parsing using Lark grammar for programmatic profile manipulation and validation.

Prerequisites

  • Python 3.9+ with dissect.cobaltstrike and/or pyMalleableC2
  • Sample Malleable C2 profiles (available from public repositories)
  • Understanding of HTTP protocol and Cobalt Strike beacon communication model
  • Network monitoring tools (Suricata/Snort) for signature deployment
  • PCAP analysis tools for traffic validation

Steps

  1. Install libraries: pip install dissect.cobaltstrike or pip install pyMalleableC2
  2. Parse profile with C2Profile.from_path("profile.profile")
  3. Extract HTTP GET/POST block configurations (URIs, headers, parameters)
  4. Identify user agent strings and spoof targets
  5. Extract sleep time, jitter percentage, and DNS beacon settings
  6. Analyze process injection settings (spawn-to, allocation technique)
  7. Generate Suricata/Snort signatures from extracted network indicators
  8. Compare profile against known threat actor profile collections
  9. Extract staging URIs and payload delivery mechanisms
  10. Produce detection report with IOCs and recommended network signatures

Expected Output

A JSON report containing extracted C2 URIs, HTTP headers, user agents, sleep/jitter settings, process injection config, spawned process paths, DNS settings, and generated Suricata-compatible detection rules.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

analyzing-cyber-kill-chain

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-android-malware-with-apktool

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-certificate-transparency-for-phishing

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

acquiring-disk-image-with-dd-and-dcfldd

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975