Cobalt Strike#

InfraGuard parses Malleable C2 profiles to extract URI patterns, HTTP methods, required headers, and message locations. Requests that don’t match the profile score high and are blocked.

Config#

domains:
  cdn.example.com:
    upstream: "${CS_UPSTREAM}"              # HTTPS listener URL
    profile_path: "profiles/jquery.profile" # Malleable C2 profile
    profile_type: "cobalt_strike"

    drop_action:
      type: "redirect"
      target: "https://jquery.com"

See config/examples/c2-cobalt-strike.yaml for the full example with pipeline tuning.

Profile Path#

The profile at profile_path is read at startup and on hot reload. Use an absolute path or a path relative to the working directory.

If the profile uses http-stager or http-config blocks, InfraGuard extracts all URI patterns from http-get, http-post, and staging paths.

Required Headers Enforcement#

If your profile sets custom headers in the metadata or id blocks:

http-get {
    client {
        header "X-Correlation-ID" "{{ base64 }}";
    }
}

InfraGuard validates these headers are present on inbound requests. Requests missing required headers fail profile validation and score high.

Domain Fronting#

When using domain fronting (CDN), set upstream to the actual C2 listener, not the CDN host. InfraGuard operates behind the CDN.

Example Pipeline Tuning for Cobalt Strike#

pipeline:
  filter_mode: "strict"         # C2 traffic — strict is appropriate
  block_score_threshold: 0.6
  enable_profile_filter: true
  enable_replay_filter: true
  replay_persist: true
  enable_sandbox_filter: true
  enable_enumeration_filter: true
  enumeration_unique_path_threshold: 5   # CS beacons hit very few paths