Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels

Clément Parssegny; Johan Mazel; Olivier Levillain; Pierre Chifflier

doi:10.1007/978-3-032-00624-0_8

Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels

Clément Parssegny, Johan Mazel, Olivier Levillain, Pierre Chifflier

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as “Mustang Panda” or “Nobelium”. In response to these threats, Security Operation Centers and other defense actors struggle to detect Command and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata-based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network. This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features thus easier to use in a production environment and more explainable.

Original language	English
Title of host publication	Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings
Editors	Mila Dalla Preda, Sebastian Schrittwieser, Vincent Naessens, Bjorn De Sutter
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	163-185
Number of pages	23
ISBN (Print)	9783032006233
DOIs	https://doi.org/10.1007/978-3-032-00624-0_8
Publication status	Published - 1 Jan 2025
Event	20th International Conference on Availability, Reliability and Security, ARES 2025 - Ghent, Belgium Duration: 11 Aug 2025 → 14 Aug 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	15992 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	20th International Conference on Availability, Reliability and Security, ARES 2025
Country/Territory	Belgium
City	Ghent
Period	11/08/25 → 14/08/25

Keywords

Cobalt Strike
Command and Control
Detection
Machine Learning
Network Metadata

Access to Document

10.1007/978-3-032-00624-0_8

Cite this

Parssegny, C., Mazel, J., Levillain, O., & Chifflier, P. (2025). Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. In M. Dalla Preda, S. Schrittwieser, V. Naessens, & B. De Sutter (Eds.), Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings (pp. 163-185). (Lecture Notes in Computer Science; Vol. 15992 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-032-00624-0_8

Parssegny, Clément ; Mazel, Johan ; Levillain, Olivier et al. / Striking Back at Cobalt : Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings. editor / Mila Dalla Preda ; Sebastian Schrittwieser ; Vincent Naessens ; Bjorn De Sutter. Springer Science and Business Media Deutschland GmbH, 2025. pp. 163-185 (Lecture Notes in Computer Science).

@inproceedings{b3877f1b583f4a1ebdfe48cbb9fd5f84,

title = "Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels",

abstract = "Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as “Mustang Panda” or “Nobelium”. In response to these threats, Security Operation Centers and other defense actors struggle to detect Command and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata-based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network. This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features thus easier to use in a production environment and more explainable.",

keywords = "Cobalt Strike, Command and Control, Detection, Machine Learning, Network Metadata",

author = "Cl{\'e}ment Parssegny and Johan Mazel and Olivier Levillain and Pierre Chifflier",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 20th International Conference on Availability, Reliability and Security, ARES 2025 ; Conference date: 11-08-2025 Through 14-08-2025",

year = "2025",

month = jan,

day = "1",

doi = "10.1007/978-3-032-00624-0\_8",

language = "English",

isbn = "9783032006233",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "163--185",

editor = "\{Dalla Preda\}, Mila and Sebastian Schrittwieser and Vincent Naessens and \{De Sutter\}, Bjorn",

booktitle = "Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings",

}

Parssegny, C, Mazel, J, Levillain, O & Chifflier, P 2025, Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. in M Dalla Preda, S Schrittwieser, V Naessens & B De Sutter (eds), Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings. Lecture Notes in Computer Science, vol. 15992 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 163-185, 20th International Conference on Availability, Reliability and Security, ARES 2025, Ghent, Belgium, 11/08/25. https://doi.org/10.1007/978-3-032-00624-0_8

Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. / Parssegny, Clément; Mazel, Johan; Levillain, Olivier et al.
Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings. ed. / Mila Dalla Preda; Sebastian Schrittwieser; Vincent Naessens; Bjorn De Sutter. Springer Science and Business Media Deutschland GmbH, 2025. p. 163-185 (Lecture Notes in Computer Science; Vol. 15992 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Striking Back at Cobalt

T2 - 20th International Conference on Availability, Reliability and Security, ARES 2025

AU - Parssegny, Clément

AU - Mazel, Johan

AU - Levillain, Olivier

AU - Chifflier, Pierre

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025/1/1

Y1 - 2025/1/1

N2 - Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as “Mustang Panda” or “Nobelium”. In response to these threats, Security Operation Centers and other defense actors struggle to detect Command and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata-based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network. This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features thus easier to use in a production environment and more explainable.

AB - Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as “Mustang Panda” or “Nobelium”. In response to these threats, Security Operation Centers and other defense actors struggle to detect Command and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata-based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network. This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features thus easier to use in a production environment and more explainable.

KW - Cobalt Strike

KW - Command and Control

KW - Detection

KW - Machine Learning

KW - Network Metadata

UR - https://www.scopus.com/pages/publications/105013738684

U2 - 10.1007/978-3-032-00624-0_8

DO - 10.1007/978-3-032-00624-0_8

M3 - Conference contribution

AN - SCOPUS:105013738684

SN - 9783032006233

T3 - Lecture Notes in Computer Science

SP - 163

EP - 185

BT - Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings

A2 - Dalla Preda, Mila

A2 - Schrittwieser, Sebastian

A2 - Naessens, Vincent

A2 - De Sutter, Bjorn

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 11 August 2025 through 14 August 2025

ER -

Parssegny C, Mazel J, Levillain O, Chifflier P. Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. In Dalla Preda M, Schrittwieser S, Naessens V, De Sutter B, editors, Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 163-185. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-00624-0_8