--- name: hunting-for-cobalt-strike-beacons description: Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM fingerprints, HTTP C2 profile pattern matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and Python PCAP analysis. domain: cybersecurity subdomain: threat-hunting tags: - cobalt-strike - beacon - threat-hunting - c2 - zeek - suricata - ja3 - jarm - network-forensics version: '1.0' author: mahipal license: Apache-2.0 nist_csf: - DE.CM-01 - DE.AE-02 - DE.AE-07 - ID.RA-05 --- # Hunting for Cobalt Strike Beacons ## Overview Cobalt Strike is the most prevalent command-and-control framework used by both red teams and threat actors. Beacon, its primary payload, communicates with team servers using configurable HTTP/HTTPS/DNS profiles that can mimic legitimate traffic. However, default configurations and behavioral patterns remain detectable through TLS certificate analysis (default serial 8BB00EE), JA3/JA3S fingerprinting, beacon interval jitter analysis, and HTTP malleable profile pattern matching. This skill covers building detection capabilities using Zeek network logs, Suricata IDS rules, and Python-based PCAP analysis to identify beacon callbacks in network traffic. ## When to Use - When investigating security incidents that require hunting for cobalt strike beacons - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Zeek 6.0+ with JA3 and HASSH packages installed - Suricata 7.0+ with Emerging Threats ruleset - Python 3.9+ with scapy and dpkt libraries - Network traffic captures (PCAP) or live Zeek logs - RITA (Real Intelligence Threat Analytics) for beacon scoring - Threat intelligence feeds with known Cobalt Strike IOCs ## Steps ### Step 1: TLS Certificate Analysis Detect default Cobalt Strike certificates using JA3S fingerprints, certificate serial numbers, and JARM fingerprints in Zeek ssl.log. ### Step 2: Beacon Interval Analysis Analyze connection timing patterns to identify regular callback intervals with configurable jitter, characteristic of beacon behavior. ### Step 3: HTTP Profile Detection Match HTTP request patterns (URI paths, headers, user-agents) against known malleable C2 profiles. ### Step 4: Correlate and Score Combine multiple indicators (TLS + timing + HTTP profile) into a composite beacon confidence score. ## Expected Output JSON report containing detected beacon candidates with confidence scores, TLS fingerprints, timing analysis, HTTP profile matches, and recommended response actions.