Cobalt Strike Hunting — Malleable C2 jQuery profile & rundll32 Analysis

Michael Koczwara
4 min readAug 5, 2021

Agenda:

Malleable C2 — jQuery profiles.

Cobalt Strike — SpawnTo and Rundll32.

PCAP & VT Analysis — Rundll32 connecting over TCP to Cobalt Strike C2.

Cobalt Strike Malleable C2 User-Agents.

Malleable C2 — jQuery profiles.

Malleable C2 profiles have been widely adopted and used by Cobalt Strike, a popular framework used by Red Teamers, APT’s, and Ransomware groups.

Fully customized Malleable profiles for C2 allow the Adversaries to not only evade detection on the wire from network-based detection (IDS) tools but also endpoint security products (EDR). Cobalt Strike operators can customize the shape and timing of C2 beacons via Sleeptime and Jitter feature and also have the ability to customize on-target functions like process injection and in-memory obfuscation methods.

Malleable C2 profiles can simply mirror a legitimate program’s values such as those in the HTTP header to make the connection appear identical to benign connections like jQuery traffic for example.

jQuery Malleable snippet.

jQuery Malleable C2 profiles.

Other jQuery profiles are available on Github.

You can find more profiles on GitHub.

Cobalt Strike CloudFront C2 examples using Malleable jQuery profiles.

Threat Actors can hide Cobalt Strike servers behind Cloudflare to blend the traffic and make it difficult to detect.

--

--