Malleable C2 Profiles
Configuration files that customize C2 traffic appearance to mimic legitimate web activity, evading signature-based network detection.
Configuration files that customize C2 traffic appearance to mimic legitimate web activity, evading signature-based network detection.
Continue your mission
Malleable C2 profiles are configuration files that define how command-and-control traffic appears on the network by customizing HTTP headers, URI paths, data encoding, and communication patterns. Originally a Cobalt Strike feature, the concept has been adopted across multiple C2 frameworks to help operators disguise malicious traffic as legitimate web activity.
Malleable profiles control every aspect of C2 communication. Operators define the HTTP request and response structure including URIs, headers, parameters, and body encoding. Traffic can be shaped to mimic legitimate services like Google, Amazon, or Microsoft cloud APIs. Profiles configure data transforms that encode and prepend or append data to make payloads appear as normal web content. Advanced profiles control process injection behavior, memory indicators, and PE header characteristics. The profile essentially creates a template that both the implant and the server follow to ensure seamless communication while evading signature-based network detection.
Malleable profiles represent the arms race between attackers and network defenders. They render simple signature-based IDS rules ineffective because the same C2 framework can produce completely different network signatures depending on the profile used. Defenders must shift from pattern matching to behavioral analysis, examining traffic timing, volume, and contextual anomalies rather than specific byte patterns.
CDA covers malleable C2 within the TID domain, teaching operators how profiles work and how to detect profiled traffic through behavioral analysis. Theater missions include exercises where operators must identify C2 traffic disguised as legitimate services. This builds the analytical mindset CDA values: understanding the technique beneath the tool so defenses remain effective against novel implementations.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.