- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
techniques), verified against MITRE ATT&CK v19.1 via the official
mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
cybersecurity
malware-analysis
cobalt-strike
malleable-c2
c2-detection
beacon-analysis
network-signatures
threat-hunting
red-team-tools
1.0
mahipal
Apache-2.0
DE.AE-02
RS.AN-03
ID.RA-01
DE.CM-01
T1071.001
T1573.002
T1001.003
T1090.004
T1102
Analyzing CobaltStrike Malleable C2 Profiles
Overview
Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates with the team server, defining HTTP request/response transformations, sleep intervals, jitter values, user agents, URI paths, and process injection behavior. Threat actors use malleable profiles to disguise C2 traffic as legitimate services (Amazon, Google, Slack). Analyzing these profiles reveals network indicators for detection: URI patterns, HTTP headers, POST/GET transforms, DNS settings, and process injection techniques. The dissect.cobaltstrike library can parse both profile files and extract configurations from beacon payloads, while pyMalleableC2 provides AST-based parsing using Lark grammar for programmatic profile manipulation and validation.
When to Use
When investigating security incidents that require analyzing cobaltstrike malleable c2 profiles
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques
Prerequisites
Python 3.9+ with dissect.cobaltstrike and/or pyMalleableC2
Sample Malleable C2 profiles (available from public repositories)
Understanding of HTTP protocol and Cobalt Strike beacon communication model
Network monitoring tools (Suricata/Snort) for signature deployment
PCAP analysis tools for traffic validation
Steps
Install libraries: pip install dissect.cobaltstrike or pip install pyMalleableC2
Parse profile with C2Profile.from_path("profile.profile")
Extract sleep time, jitter percentage, and DNS beacon settings
Analyze process injection settings (spawn-to, allocation technique)
Generate Suricata/Snort signatures from extracted network indicators
Compare profile against known threat actor profile collections
Extract staging URIs and payload delivery mechanisms
Produce detection report with IOCs and recommended network signatures
Expected Output
A JSON report containing extracted C2 URIs, HTTP headers, user agents, sleep/jitter settings, process injection config, spawned process paths, DNS settings, and generated Suricata-compatible detection rules.