hunting-for-cobalt-strike-beacons

// Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM

$ git log --oneline --stat
stars:6.3Kforks:881updated:May 16, 2026 at 14:29
SKILL.md
readonly
namehunting-for-cobalt-strike-beacons
descriptionDetect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM

name: hunting-for-cobalt-strike-beacons description: Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM fingerprints, HTTP C2 profile pattern matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and Python PCAP analysis. domain: cybersecurity subdomain: threat-hunting tags:

  • cobalt-strike
  • beacon
  • threat-hunting
  • c2
  • zeek
  • suricata
  • ja3
  • jarm
  • network-forensics version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
  • DE.CM-01
  • DE.AE-02
  • DE.AE-07
  • ID.RA-05

Hunting for Cobalt Strike Beacons

Overview

Cobalt Strike is the most prevalent command-and-control framework used by both red teams and threat actors. Beacon, its primary payload, communicates with team servers using configurable HTTP/HTTPS/DNS profiles that can mimic legitimate traffic. However, default configurations and behavioral patterns remain detectable through TLS certificate analysis (default serial 8BB00EE), JA3/JA3S fingerprinting, beacon interval jitter analysis, and HTTP malleable profile pattern matching. This skill covers building detection capabilities using Zeek network logs, Suricata IDS rules, and Python-based PCAP analysis to identify beacon callbacks in network traffic.

When to Use

  • When investigating security incidents that require hunting for cobalt strike beacons
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Zeek 6.0+ with JA3 and HASSH packages installed
  • Suricata 7.0+ with Emerging Threats ruleset
  • Python 3.9+ with scapy and dpkt libraries
  • Network traffic captures (PCAP) or live Zeek logs
  • RITA (Real Intelligence Threat Analytics) for beacon scoring
  • Threat intelligence feeds with known Cobalt Strike IOCs

Steps

Step 1: TLS Certificate Analysis

Detect default Cobalt Strike certificates using JA3S fingerprints, certificate serial numbers, and JARM fingerprints in Zeek ssl.log.

Step 2: Beacon Interval Analysis

Analyze connection timing patterns to identify regular callback intervals with configurable jitter, characteristic of beacon behavior.

Step 3: HTTP Profile Detection

Match HTTP request patterns (URI paths, headers, user-agents) against known malleable C2 profiles.

Step 4: Correlate and Score

Combine multiple indicators (TLS + timing + HTTP profile) into a composite beacon confidence score.

Expected Output

JSON report containing detected beacon candidates with confidence scores, TLS fingerprints, timing analysis, HTTP profile matches, and recommended response actions.