Cobalt Strike Threat Trend Updates - Q2 2023

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Cobalt Strike Trends Q2.jpg


By: Durgesh Sangvikar, Matthew Tennis, Chris Navarrete, Yanhui Jia, Nina Smith, Yu Fu


Executive Summary

The Unit42 team has developed a Cobalt strike threat intelligence gathering system that scans the internet to locate Team servers hosting the Beacon binary. Earlier, it was difficult to discover the team server until a Beacon binary made an active connection to it. Our novel method enables us to find team servers, download the beacon binary, extract the configuration and generate a fully functional malleable C2 profile.


Our system has successfully tracked & documented a huge amount of team servers and malleable profiles. The upcoming sections present various statistics about these Team servers and malleable profiles. The statistics include the common URI, the encrypted data placement in http headers, Geolocation of the Team servers. 


Palo Alto Networks customers receive protections from and mitigations for Cobalt Strike Beacon and Team Server C2 communication in the following ways:



Related Unit 42 Topics

Cobalt Strike, C2, Tutorials


Cobalt Strike Profile Statistic

We have observed that most of the profiles are modified versions of the default profile, which is included in the Cobalt Strike package. Modifications may include adding extra request headers, reducing the number of URIs, and adding a cookie parameter. Figure 1 shows an example of modifications made to the default profile. The left side shows the default profile, while the right side shows the modified default profile. In the modified default profile, the author reduced the number of GET URIs and added HTTP request headers.



                                            Figure 1. Default profiles (left side) and a modified default profile (right side)


Figure 2 shows the statistics of the modified default profile with custom profiles. Every 3rd profile we discovered is a custom profile. The custom profiles have different URIs, the encrypted data is placed in Referrer header or appended to URI etc.



                                                          Figure 2: Statistics of the modified default profile and custom profiles.


Cobalt Strike Team Server Statistic 

In the blog, we have explained how to identify the Team Server in-the-wild. Based on those different identification tactics, we have located the Team Servers on the internet. We have located those Team Servers in various countries.


Figure 3 shows percentages of the Team servers found in different countries. We discovered the maximum number of Team servers hosted on 2 countries namely, China and USA.



                                                                           Figure 3: Geo Location of the Team servers


Domain vs IP address

We have examined the profiles for the usage of various domains to evade the Network detections. If profiles are using domains in their host header, they are more likely to be analyzed by the network security devices. We have also concluded that almost all the time, the host header data is different in GET and POST transactions. Majority of the time, the Host header has the dotted quad representation of the IP address and they are different for GET and POST transactions. When that is the same, it is certain that the Host header is a domain and most likely a well known like, etc. 



                                                                                               Figure 4: Host header 


Cobalt Strike Team Server Infrastructure Statistics

We wanted to understand the infrastructure details that hosted the team servers, so we collected the Whois information of the IP addresses. We found that many of the team servers were hosted on popular hosting services like Tencent, Alibaba, and Amazon. We identified that every fourth team server was hosted on Tencent Cloud.


Figure 5 shows the infrastructure hosting server that hosted the Team servers.



                                                                              Figure 5: Infrastructure Hosting 


Cobalt Strike Request URI Statistic

We have parsed the profiles to extract the threat intelligence information.


Figure 6 shows the common URI used in the profiles. These are GET or POST transaction URI. Most of the profiles are derived from the default profiles, top common URI are also from default profiles. 



                                  Figure 6: List of the Commonly used URI in Cobalt strike profiles.


Cobalt Strike Encrypted data in HTTP header

We have analyzed the common places where the attackers are placing the encrypted metadata. There are a number of places where an attacker can place the encrypted metadata in http header like append to URI, place it as a URI parameter value, Cookie header value, add a custom header value, put it in Cookie header with param.


After the profiles analysis, we found that the majority of the profiles have encrypted metadata in Cookie header. Some of the profiles are putting the metadata in plain cookie header value while others are placing it as a Cookie param value. Figure 7 shows the Encrypted Metadata placement in the HTTP request body.




                                                              Figure 7: Encrypted Metadata placement



In recent years, there has been a rise in the use of Cobalt Strike by advanced persistent threat (APT) groups, especially those with ties to nation-states. These groups have used Cobalt Strike in various cyber espionage campaigns, such as the ones targeting the US government and its allies.


Overall, the use of Cobalt Strike is expected to continue in malicious contexts, and organizations should take necessary precautions to protect their networks from potential threats associated with this tool.


Palo Alto Networks customers receive protection from the attack above by the following:


  1. Next-Generation Firewalls with Threat Prevention signatures 86445 and 86446 can identify HTTP C2 requests with the base64 metadata encoding in default profiles. 
  2. Next-Generation Firewalls with Advanced Threat Prevention subscription can identify and block the Cobalt Strike HTTP C2 request in non default  profiles.
  3. WildFire, an NGFW security subscription, and Cortex XDR identify and block CobaltStrike Beacon.


Palo Alto Networks will continue to collect more Cobalt Strike related threat intelligence and publish the threat trend report in the future, please stay tuned.


Additional Resources

Cobalt Strike Training

Cobalt Strike Malleable C2 Profile

Cobalt Strike Decryption with Known Private Key

Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detec...

Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding

Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption

Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild

Cobalt Strike Attack Detection & Defense Technology Overview

Register or Sign-in
Top Liked Authors