Skill

analyzing-cobaltstrike-malleable-c2-profiles

Parses Cobalt Strike Malleable C2 profiles with dissect.cobaltstrike and pyMalleableC2 to extract indicators, detect evasions, and generate network detection signatures.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Analyzing CobaltStrike Malleable C2 Profiles

Overview

Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates with the team server, defining HTTP request/response transformations, sleep intervals, jitter values, user agents, URI paths, and process injection behavior. Threat actors use malleable profiles to disguise C2 traffic as legitimate services (Amazon, Google, Slack). Analyzing these profiles reveals network indicators for detection: URI patterns, HTTP headers, POST/GET transforms, DNS settings, and process injection techniques. The dissect.cobaltstrike library can parse both profile files and extract configurations from beacon payloads, while pyMalleableC2 provides AST-based parsing using Lark grammar for programmatic profile manipulation and validation.

When to Use

When investigating security incidents that require analyzing cobaltstrike malleable c2 profiles
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with dissect.cobaltstrike and/or pyMalleableC2
Sample Malleable C2 profiles (available from public repositories)
Understanding of HTTP protocol and Cobalt Strike beacon communication model
Network monitoring tools (Suricata/Snort) for signature deployment
PCAP analysis tools for traffic validation

Steps

Install libraries: pip install dissect.cobaltstrike or pip install pyMalleableC2
Parse profile with C2Profile.from_path("profile.profile")
Extract HTTP GET/POST block configurations (URIs, headers, parameters)
Identify user agent strings and spoof targets
Extract sleep time, jitter percentage, and DNS beacon settings
Analyze process injection settings (spawn-to, allocation technique)
Generate Suricata/Snort signatures from extracted network indicators
Compare profile against known threat actor profile collections
Extract staging URIs and payload delivery mechanisms
Produce detection report with IOCs and recommended network signatures

Expected Output

A JSON report containing extracted C2 URIs, HTTP headers, user agents, sleep/jitter settings, process injection config, spawned process paths, DNS settings, and generated Suricata-compatible detection rules.