hunting-for-cobalt-strike-beacons

Installation
SKILL.md

Hunting for Cobalt Strike Beacons

Overview

Cobalt Strike is the most prevalent command-and-control framework used by both red teams and threat actors. Beacon, its primary payload, communicates with team servers using configurable HTTP/HTTPS/DNS profiles that can mimic legitimate traffic. However, default configurations and behavioral patterns remain detectable through TLS certificate analysis (default serial 8BB00EE), JA3/JA3S fingerprinting, beacon interval jitter analysis, and HTTP malleable profile pattern matching. This skill covers building detection capabilities using Zeek network logs, Suricata IDS rules, and Python-based PCAP analysis to identify beacon callbacks in network traffic.

When to Use

  • When investigating security incidents that require hunting for cobalt strike beacons
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

Installs
31
GitHub Stars
24.7K
First Seen
Mar 17, 2026
hunting-for-cobalt-strike-beacons — mukul975/anthropic-cybersecurity-skills