Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels

Clément Parssegny; Johan Mazel; Olivier Levillain; Pierre Chifflier

doi:10.1007/978-3-032-00624-0_8

Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels

Clément Parssegny
, Johan Mazel
, Olivier Levillain
, Pierre Chifflier

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

Résumé

Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as “Mustang Panda” or “Nobelium”. In response to these threats, Security Operation Centers and other defense actors struggle to detect Command and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata-based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network. This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features thus easier to use in a production environment and more explainable.

langue originale	Anglais
titre	Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings
rédacteurs en chef	Mila Dalla Preda, Sebastian Schrittwieser, Vincent Naessens, Bjorn De Sutter
Editeur	Springer Science and Business Media Deutschland GmbH
Pages	163-185
Nombre de pages	23
ISBN (imprimé)	9783032006233
Les DOIs	https://doi.org/10.1007/978-3-032-00624-0_8
état	Publié - 1 janv. 2025
Evénement	20th International Conference on Availability, Reliability and Security, ARES 2025 - Ghent, Belgique Durée: 11 août 2025 → 14 août 2025

Série de publications

Nom	Lecture Notes in Computer Science
Volume	15992 LNCS
ISSN (imprimé)	0302-9743
ISSN (Electronique)	1611-3349

Une conférence

Une conférence	20th International Conference on Availability, Reliability and Security, ARES 2025
Pays/Territoire	Belgique
La ville	Ghent
période	11/08/25 → 14/08/25

Accès au document

10.1007/978-3-032-00624-0_8

Autres fichiers et liens

Lien vers la publication dans Scopus

Contient cette citation

Parssegny, C., Mazel, J., Levillain, O., & Chifflier, P. (2025). Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. Dans M. Dalla Preda, S. Schrittwieser, V. Naessens, & B. De Sutter (eds.), Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings (p. 163-185). (Lecture Notes in Computer Science; Vol 15992 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-032-00624-0_8

Parssegny, Clément ; Mazel, Johan ; Levillain, Olivier et al. / Striking Back at Cobalt : Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings. Editeur / Mila Dalla Preda ; Sebastian Schrittwieser ; Vincent Naessens ; Bjorn De Sutter. Springer Science and Business Media Deutschland GmbH, 2025. p. 163-185 (Lecture Notes in Computer Science).

@inproceedings{b3877f1b583f4a1ebdfe48cbb9fd5f84,

title = "Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels",

abstract = "Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as “Mustang Panda” or “Nobelium”. In response to these threats, Security Operation Centers and other defense actors struggle to detect Command and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata-based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network. This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features thus easier to use in a production environment and more explainable.",

keywords = "Cobalt Strike, Command and Control, Detection, Machine Learning, Network Metadata",

author = "Cl{\'e}ment Parssegny and Johan Mazel and Olivier Levillain and Pierre Chifflier",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 20th International Conference on Availability, Reliability and Security, ARES 2025 ; Conference date: 11-08-2025 Through 14-08-2025",

year = "2025",

month = jan,

day = "1",

doi = "10.1007/978-3-032-00624-0\_8",

language = "English",

isbn = "9783032006233",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "163--185",

editor = "\{Dalla Preda\}, Mila and Sebastian Schrittwieser and Vincent Naessens and \{De Sutter\}, Bjorn",

booktitle = "Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings",

}

Parssegny, C, Mazel, J, Levillain, O & Chifflier, P 2025, Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. Dans M Dalla Preda, S Schrittwieser, V Naessens & B De Sutter (eds), Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings. Lecture Notes in Computer Science, VOL. 15992 LNCS, Springer Science and Business Media Deutschland GmbH, p. 163-185, 20th International Conference on Availability, Reliability and Security, ARES 2025, Ghent, Belgique, 11/08/25. https://doi.org/10.1007/978-3-032-00624-0_8

Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. / Parssegny, Clément; Mazel, Johan; Levillain, Olivier et al.
Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings. Ed. / Mila Dalla Preda; Sebastian Schrittwieser; Vincent Naessens; Bjorn De Sutter. Springer Science and Business Media Deutschland GmbH, 2025. p. 163-185 (Lecture Notes in Computer Science; Vol 15992 LNCS).

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

TY - GEN

T1 - Striking Back at Cobalt

T2 - 20th International Conference on Availability, Reliability and Security, ARES 2025

AU - Parssegny, Clément

AU - Mazel, Johan

AU - Levillain, Olivier

AU - Chifflier, Pierre

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025/1/1

Y1 - 2025/1/1

N2 - Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as “Mustang Panda” or “Nobelium”. In response to these threats, Security Operation Centers and other defense actors struggle to detect Command and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata-based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network. This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features thus easier to use in a production environment and more explainable.

AB - Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters looking for discretion. Among other functionalities, these tools facilitate the customization of their network traffic so it can mimic popular websites, thereby increasing their secrecy. Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as “Mustang Panda” or “Nobelium”. In response to these threats, Security Operation Centers and other defense actors struggle to detect Command and Control traffic, which often use encryption protocols such as TLS. Network traffic metadata-based machine learning approaches have been proposed to detect encrypted malware communications or fingerprint websites over Tor network. This paper presents a machine learning-based method to detect Cobalt Strike Command and Control activity based only on widely used network traffic metadata. The proposed method is, to the best of our knowledge, the first of its kind that is able to adapt the model it uses to the observed traffic to optimize its performance. This specificity permits our method to performs equally or better than the state of the art while using standard features thus easier to use in a production environment and more explainable.

KW - Cobalt Strike

KW - Command and Control

KW - Detection

KW - Machine Learning

KW - Network Metadata

UR - https://www.scopus.com/pages/publications/105013738684

U2 - 10.1007/978-3-032-00624-0_8

DO - 10.1007/978-3-032-00624-0_8

M3 - Conference contribution

AN - SCOPUS:105013738684

SN - 9783032006233

T3 - Lecture Notes in Computer Science

SP - 163

EP - 185

BT - Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings

A2 - Dalla Preda, Mila

A2 - Schrittwieser, Sebastian

A2 - Naessens, Vincent

A2 - De Sutter, Bjorn

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 11 August 2025 through 14 August 2025

ER -

Parssegny C, Mazel J, Levillain O, Chifflier P. Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and Control Channels. Dans Dalla Preda M, Schrittwieser S, Naessens V, De Sutter B, rédacteurs en chef, Availability, Reliability and Security - 20th International Conference, ARES 2025, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 163-185. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-00624-0_8