International Cyber Expo International Cyber Expo
  • About Us
Sunday, 12 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

The Challenges Of Cobalt Strike Server Fingerprinting.

By Jason Reaves, and Joshua Platt, Principal Threat Researchers at Flashpoint

by The Gurus
November 7, 2019
in Featured, Threat Detection
Fingerprint Biometrics Computer
Share on FacebookShare on Twitter

The misuse of legitimate security tools by criminals and state-sponsored actors has been a dilemma for close to two decades. Penetration-testing software and red-teaming frameworks were built for the purpose of testing the defences of enterprise networks, but that hasn’t stopped individuals and collectives with malicious intent from pirating or hacking these tools and using them to nefarious ends.

Cobalt Strike is one such tool that is being widely abused, and if your organisation has not engaged with a penetration-testing or red-teaming firm, it’s crucial that network security specialists learn how to detect potentially illicit traffic and understand the steps threat actors are taking to bypass detection.

One thing is certain: there’s more than one way to skin this cat.

Identifying Cobalt Strike a Defender’s Imperative

Cobalt Strike was built and is distributed by Strategic Cyber LLC of Washington, D.C., founded in 2012 by Raphael Mudge. The platform was built for red teams and allows them to simulate the actions of adversaries. The tool can be used, for example, to identify vulnerabilities present in network resources, launch attacks exploiting those flaws, and issue further commands. Clearly in the hands of someone with ill intent, Cobalt Strike, like Metasploit, Mimikatz and numerous other testing tools, can be a dangerous implement.

Strategic Cyber LLC tries to address the risk by limiting distribution of Cobalt Strike to security teams engaged only in ethical pen-testing or red-teaming. The company says it screens and performs a risk assessment on all trial requests and sales, degrades functionality in trial distributions, and adds identifiers to licensed products to identify users.

Determined threat actors, however, usually find a way. Pirated or hacked versions of Cobalt Strike are in the wild and targeting organisations, making it imperative that defenders track and detect this type of activity within their network.

There are many means by which to fingerprint Cobalt Strike team server traffic, which controls what is known as the Beacon, or payload. The Beacon will communicate with the team server through DNS request lookups. The DNS response will instruct the beacon how and when to download additional commands from the team server.

The behaviour of its Beacon can be customised using Cobalt Strike’s Malleable C2 (command-and-control) profiles, which enable users to change their network indicators and emulate the tactics, techniques, and procedures (TTPs) of threat actors in the wild. There are a number of methods for identifying Cobalt Strike servers, many of which have been publicly documented by researchers and vendors, including Strategic Cyber LLC. Most of these methods employ server fingerprinting techniques based on Cobalt Strike’s default settings, which can be easily changed using a Malleable C2 profile.

The Power of Malleable C2 Profiles

Cobalt Strike servers come preconfigured with various default settings that, if left unchanged, can be used to identify and fingerprint them. It is important to note that the functionality of Cobalt Strike’s Malleable C2 profiles makes it relatively easy to change these default settings, so they are not present on—and thus cannot be used to identify or fingerprint—every Cobalt Strike server.

One such setting—an extraneous space in an HTTP response header—was being used by researchers for 18 months to identify Cobalt Strike team servers. Strategic Cyber LLC removed the space in version 3.13 of Cobalt Strike in January, and it can no longer be used to identify team servers.

This also demonstrates the power of Cobalt Strike’s Malleable C2 profiles, which allow users to transform data, store it in a transaction, and also extract and recover data from transactions, according to Strategic Cyber LLC. Threat actors may just as easily use them to bypass detection and make a team server difficult to fingerprint. For example, they could use a Malleable C2 profile to change default HTTP response headers to change server parameters, or replace default TLS/SSL certificates, or switch administrator ports.

Assessment

Given the prevalence and popularity of Cobalt Strike for legitimate and malicious purposes, it is critical to be able to identify as many Cobalt Strike servers as possible. Although there are a number of well-documented methods for identifying these servers, most rely on server fingerprinting based on Cobalt Strike’s default settings, which can be easily changed. No single method for identifying Cobalt Strike servers is foolproof.

Share1Tweet
Previous Post

Kaspersky To Open First Transparency Center In APAC.

Next Post

Virgin Hyperloop One Utilised OneLogin

Recent News

Cyber Shield

UK Government Unveils AI Powered Cyber Shield to Strengthen National Cyber Defense

July 10, 2026
KnowBe4 phishing by industry

Healthcare, Hospitality and Construction Named UK’s Most Phishing-Prone Industries

July 10, 2026
hand typing on keyboard

CitrixBleed 2 exploited in repeatable attack chain culminating in DragonForce ransomware, researchers find

July 9, 2026
malware

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

July 8, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol