hunting-for-cobalt-strike-beacons

name: hunting-for-cobalt-strike-beacons description: Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM fingerprints, HTTP C2 profile pattern matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and Python PCAP analysis. domain: cybersecurity subdomain: threat-hunting tags:

• cobalt-strike
• beacon
• threat-hunting
• c2
• zeek
• suricata
• ja3
• jarm
• network-forensics version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
• DE.CM-01
• DE.AE-02
• DE.AE-07
• ID.RA-05

Hunting for Cobalt Strike Beacons

Overview

Cobalt Strike is the most prevalent command-and-control framework used by both red teams and threat actors. Beacon, its primary payload, communicates with team servers using configurable HTTP/HTTPS/DNS profiles that can mimic legitimate traffic. However, default configurations and behavioral patterns remain detectable through TLS certificate analysis (default serial 8BB00EE), JA3/JA3S fingerprinting, beacon interval jitter analysis, and HTTP malleable profile pattern matching. This skill covers building detection capabilities using Zeek network logs, Suricata IDS rules, and Python-based PCAP analysis to identify beacon callbacks in network traffic.

When to Use

• When investigating security incidents that require hunting for cobalt strike beacons
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Detection Gaps & Validation

• Default IOCs are trivially changed: the 8BB00EE cert serial, default JARM, and stock JA3S only catch lazy operators — mature actors load custom certs and malleable C2 profiles that mimic jQuery/CDN traffic. Absence of the default cert is not "clean"; pivot to timing + JA3/JA4 + HTTP profile anomalies.
• Malleable profile mimicry: http-get/http-post blocks can spoof legitimate User-Agents, URIs, and headers — match on the combination (fixed URI + beacon timing + bytes-out regularity), not any single header.
• DNS / SMB pipe beacons evade TLS rules: DNS beacons (TXT/A) and peer-to-peer SMB named pipes (\\.\pipe\msagent_*, \\.\pipe\status_*) never touch ssl.log — add Zeek dns.log entropy hunts and Sysmon EID 17/18 named-pipe detection.
• Encrypted payloads: beacon config is AES/XOR-encrypted in memory, so PCAP content rules fail — use a beacon-config extractor on memory/payloads, not packet bytes.
• Validate: detonate a CS/Sliver test beacon with a non-default profile and confirm the timing-CV, JA3, and named-pipe detections all fire; verify Suricata ET rules match.
• Tune FPs: CDNs and SaaS reuse common JA3s — corroborate with beacon regularity and process context before escalating.

Prerequisites

• Zeek 6.0+ with JA3 and HASSH packages installed
• Suricata 7.0+ with Emerging Threats ruleset
• Python 3.9+ with scapy and dpkt libraries
• Network traffic captures (PCAP) or live Zeek logs
• RITA (Real Intelligence Threat Analytics) for beacon scoring
• Threat intelligence feeds with known Cobalt Strike IOCs

Steps

Step 1: TLS Certificate Analysis

Detect default Cobalt Strike certificates using JA3S fingerprints, certificate serial numbers, and JARM fingerprints in Zeek ssl.log.

Step 2: Beacon Interval Analysis

Analyze connection timing patterns to identify regular callback intervals with configurable jitter, characteristic of beacon behavior.

Step 3: HTTP Profile Detection

Match HTTP request patterns (URI paths, headers, user-agents) against known malleable C2 profiles.

Step 4: Correlate and Score

Combine multiple indicators (TLS + timing + HTTP profile) into a composite beacon confidence score.

Expected Output

JSON report containing detected beacon candidates with confidence scores, TLS fingerprints, timing analysis, HTTP profile matches, and recommended response actions.