Randomized Malleable C2 Profiles Made Easy

Malleable Command and Control (C2) profiles offer red teamers and penetration testers a wide range of options to change how Cobalt Strike is perceived on both the network and the compromised host. Malleable C2 can mimic real threat actors or typical web traffic. With every new development in offensive techniques, blue teams and defensive tools are likely to adopt static signature-based protections. In my view, defenders should utilize all available resources, including signature-based detections; however, they should not depend solely on any single defensive method. As red teamers, our role is to test the blue team's controls and processes, and this is exactly what Malleable C2 profiles allow us to do. In this blog post, I will outline a script I created to randomize Malleable C2 profiles. This script enables us to customize the same profile template each time we use it, thereby reducing the likelihood of triggering static, signature-based detection mechanisms.

You can access the script at this location.

The Script randomizes Cobalt Strike Malleable C2 profiles using a metalanguage. It does this by replacing specific keywords with random, pre-configured strings. In summary, the script takes the provided template, parses it, and substitutes the variables with a random value sourced from either a provided list or another predefined option.