A Deep Dive into Cobalt Strike Malleable C2 - Threatexpress

http://threatexpress.com/blogs/2018/a-deep-dive-into-cobalt-strike-malleable-c2/

One of Cobalt Strike's most valuable features is its ability to modify the behavior of the Beacon payload. By changing various defaults within the framework, an operator can modify the memory footprint of Beacon, change how often it checks in, and even what Beacon's network traffic looks like. All of these features are controlled by the Malleable C2 profile, which is chosen when starting the team server.

The article makes the assumption that you understand the basics of malleable C2 and is intended to be used as reference for designing and creating malleable C2 profiles. The profile found at (https://github.com/threatexpress/malleable-c2 is to used as a reference profile. It is highly documented and contains tips and guidance to aide in creating new C2 profiles.

If you are new to malleable C2, we recommend starting with this reference by Jeff Dimmock (@bluscreenofjeff) https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/ or reading the other references.

Big thanks to @andrewchiles and @001SPARTaN for helping test and develop this C2 profile!!!

Don't use defaults. Use a profile.
Modify sample profiles before use. It's likely that public Malleable C2 profiles are signatured by security products.
Remember you're still generating "beaconing" network traffic that creates a detectable pattern that is mostly independent of the chosen profile
Test, Test, Test

The following are quick tips to consider when setting parameter values. Follow this to reduce troubleshooting errors.

Enclose parameters in double quote, not single

Semicolons are ok

prepend "This is an example;";

Escape Double quotes

append "here is "some" stuff";

Escape Backslashes

append "more \\ stuff";