Striking Back At Cobalt: Using Network Traffic Metadata To Detect Cobalt Strike Masquerading Command and Control Channels

TL;DR

This paper introduces an adaptive machine learning method that detects Cobalt Strike command and control traffic using only network traffic metadata, outperforming existing approaches and enhancing practical deployment.

Contribution

It presents the first adaptive machine learning approach for detecting Cobalt Strike C2 channels based solely on network metadata, improving accuracy and explainability.

Findings

Performs as well or better than state-of-the-art methods

Uses only standard network traffic features

Is adaptable to observed traffic for optimized detection

Abstract

Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as "Mustang Panda" or "Nobelium". In response to these threats, Security Operation Centers and other defense actors struggle to detect Command and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata-based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network. This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features. Our method is thus easier to use in a production environment and more explainable.