Cobalt Strike Profile Analysis

v20260317

analyzing-cobalt-strike-malleable-profiles

Parses Cobalt Strike malleable C2 profiles via pyMalleableC2 to pull beacon configs, HTTP communication patterns, sleep/jitter settings, and combines JARM scans for C2 detection when hunting suspected infrastructure or building IDS signatures.

Analyzing Cobalt Strike Malleable PyMalleableC2 JARM NetworkSecurity IOCs

Get Skill

476 downloads

Overview

Analyzing Cobalt Strike Malleable Profiles

Instructions

Parse malleable C2 profiles to extract IOCs and detection opportunities using the pyMalleableC2 library. Combine with JARM fingerprinting to identify C2 servers.

from malleablec2 import Profile

# Parse a malleable profile from file
profile = Profile.from_file("amazon.profile")

# Extract global options (sleep, jitter, user-agent)
print(profile.ast.pretty())

# Access HTTP-GET block URIs and headers for network signatures
# Access HTTP-POST block for data exfiltration patterns
# Generate JARM fingerprints for known C2 infrastructure

Key analysis steps:

Parse the malleable profile to extract HTTP-GET/POST URI patterns
Extract User-Agent strings and custom headers for IDS signatures
Identify sleep time and jitter for beaconing detection thresholds
Scan suspect IPs with JARM to match known C2 fingerprint hashes
Cross-reference extracted IOCs with network traffic logs

Examples

# Parse profile and extract detection indicators
from malleablec2 import Profile
p = Profile.from_file("cobaltstrike.profile")
print(p)  # Reconstructed source

# JARM scan a suspect C2 server
import subprocess
result = subprocess.run(
    ["python3", "jarm.py", "suspect-server.com"],
    capture_output=True, text=True
)
print(result.stdout)
# Compare fingerprint against known CS JARM hashes

Info

Category Development

Name analyzing-cobalt-strike-malleable-profiles

Version v20260317

Size 8.49KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18