Tools
T1055, T1572, T1071Cobalt Strike — Detection and Beacon Analysis
A comprehensive guide to detecting Cobalt Strike — beacon traffic patterns, Malleable C2 profiles, JA3/JA3S hashes, named pipe indicators, process injection signatures, and detection queries for SOC analysts.
View on Graph
What Cobalt Strike Is and Why Detection Matters
- Cobalt Strike is a commercial adversary simulation tool developed by Fortra (formerly HelpSystems). It provides a post-exploitation agent (Beacon), C2 infrastructure, and a suite of attack capabilities — including process injection, keylogging, credential theft, and lateral movement. Analysts detect Beacon activity through Sysmon process creation and named pipe events.
- Cobalt Strike is the single most common C2 framework observed in real-world intrusions. Ransomware groups (LockBit, BlackCat, Ryuk), APTs, and nation-state actors all use Cobalt Strike beacons.
- MITRE ATT&CK maps Cobalt Strike behavior across multiple techniques:
T1055(Process Injection) for Beacon payload injection,T1572(Protocol Tunneling) for C2 communication,T1071(Application Layer Protocol) for HTTP/HTTPS/DNS beacons, andT1568(Dynamic Resolution) for domain fronting. - Detection is difficult because Cobalt Strike’s Malleable C2 profile allows operators to customize every aspect of beacon traffic — HTTP headers, SSL/TLS certificates, DNS query patterns, and beacon timing — to blend in with legitimate traffic.
Beacon Detection — Network Layer
Beacon Timing — Jitter and Sleep Cycle
Cobalt Strike beacons use a default sleep cycle and jitter. Even with custom profiles, the timing pattern is detectable.
# Default behavior: beacon sleeps for N seconds, then checks in
# With jitter: sleep is randomized within a range
# Example: sleep 60s + jitter 25% → check-in every 45-75 secondsDetection — inter-packet timing analysis:
| Signal | What to Look For | Detection Method |
|---|---|---|
| Regular intervals | Connections at consistent intervals (± jitter percentage) | Statistical analysis of connection timing in conn.log |
| Short check-in time | Beacon connects, sends small payload, receives commands, disconnects quickly (< 1 second) | NetFlow/conn.log — low duration, small byte count |
| Same-sized requests | HTTP POST bodies have identical size across multiple beacons | Zeek http.log — request_body_len column |
| Off-hours only | Beacon only checks in during off-hours or on a schedule | Time-based analysis — compare to business hours |
SPL query — beacon timing detection:
index=zeek sourcetype=conn.log
| search id.resp_h=*EXTERNAL* AND proto=tcp
| where id.resp_p=443 OR id.resp_p=80
| sort id.orig_h, id.resp_h, ts
| streamstats time_window=10m count(id.resp_h) as beacon_count by id.orig_h, id.resp_h
| where beacon_count > 10
| stats stdev(ts) as timing_jitter, avg(duration) as avg_duration, count by id.orig_h, id.resp_h
| where timing_jitter < 30
| eval alert = "Possible C2 beaconing — " . count . " connections from " . id.orig_h . " to " . id.resp_h . " (jitter: " . round(timing_jitter, 2) . "s)"
| table id.orig_h, id.resp_h, count, timing_jitter, avg_duration, alert
| sort - countJA3 and JA3S Hashes
JA3 is a hash of the TLS client hello parameters (cipher suites, extensions, elliptic curves). JA3S is the server hello hash. Together, they fingerprint TLS implementations — including Cobalt Strike’s.
Known Cobalt Strike JA3 Hashes (default profiles):
| JA3 Hash | Profile | Context |
|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Default Cobalt Strike HTTPS | Default C2 HTTPS listener |
b4fbf39a4c42e0d07f7771fddc058ab4 | Default Cobalt Strike HTTPS (older) | Older Beacon versions |
72a589da5862e794ba8ab391f56b7f02 | Malleable profile (common variant) | Custom C2 with modified cipher list |
51c64c77f60d00d2a91bbcec018e5f8b | Malleable profile (common variant) | Custom C2 with modified cipher list |
Detection — JA3 hash matching:
index=zeek sourcetype=ssl.log
| lookup cs_ja3_blocklist.csv ja3 AS ja3 OUTPUT confidence
| where confidence > 0
| eval alert = "Cobalt Strike JA3 fingerprint detected: " . ja3 . " (confidence: " . confidence . ")"
| table ts, id.orig_h, id.resp_h, server_name, ja3, confidence, alertImportant caveat: Malleable C2 profiles can change the JA3 hash. Do not rely on JA3 alone — use it as one signal among many.
HTTP Header Analysis
Cobalt Strike’s HTTP beacon uses configurable User-Agent, Cookie, and Accept headers. Default profiles have recognizable patterns.
| Header | Default Cobalt Strike Pattern | Suspicious Indicator |
|---|---|---|
| User-Agent | Default: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) or custom | Outdated or uncommon User-Agent seen across multiple hosts |
| Cookie | Default: __cfduid (mimicking Cloudflare cookie) | Same cookie value across different source IPs and timeframes |
| Accept | Default: */* | Rare but notable when paired with other anomalies |
| Referer | Often empty or fake | Consistent fake referrer across multiple beacon calls |
| Content-Type | application/x-www-form-urlencoded for POST | Beacon POST tasks use this content type |
Detection — HTTP header anomalies (run in Splunk or your SIEM):
index=proxy sourcetype=access_log
| stats values(user_agent) as user_agents, values(cookie) as cookies, count by src_ip, dest_ip, uri
| where mvcount(user_agents) == 1 AND user_agents IN ("Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)")
| eval alert = "Suspicious HTTP request from " . src_ip . " to " . dest_ip . " with outdated User-Agent — possible Cobalt Strike"
| table src_ip, dest_ip, uri, user_agents, cookies, count, alertBeacon Detection — Host Layer
Named Pipe Indicators
Cobalt Strike uses named pipes for communication between Beacon processes and child modules (screenshot, keylogger, Malleable PE). The named pipe names are configurable but defaults are well-known.
| Named Pipe Pattern | Cobalt Strike Context | Detection |
|---|---|---|
\\.\pipe\msagent_* | Default named pipe prefix | Sysmon Event ID 17/18 — named pipe creation/connection |
\\.\pipe\postex_* | Post-exploitation modules (screenshot, keylogger, portscan) | Sysmon Event ID 17/18 |
\\.\pipe\status_* | Beacon status pipe | Sysmon Event ID 17/18 |
\\.\pipe\mypipe-* | Alternative naming pattern used by some operators | Sysmon Event ID 17/18 |
Detection — named pipe creation:
index=windows sourcetype="WinEventLog:Sysmon" EventCode=17 OR EventCode=18
| eval PipeName = lower(PipeName)
| where PipeName LIKE "%msagent%" OR PipeName LIKE "%postex%" OR PipeName LIKE "%mypipe%"
| eval alert = "Cobalt Strike named pipe detected: " . PipeName . " on " . Computer
| table _time, Computer, Image, PipeName, alertProcess Injection Patterns
Cobalt Strike injects Beacon payloads into legitimate processes using several techniques. Common target processes:
| Target Process | Injection Method | Why Used |
|---|---|---|
rundll32.exe | DLL sideloading or shellcode injection | Appears legitimate, commonly used |
explorer.exe | Process hollowing or PE injection | Parent of user processes — trusted by users and some EDR |
svchost.exe | Process injection | Looks like normal Windows activity |
notepad.exe | Process hollowing | Common sandbox, easy to detect |
mshta.exe | HTA execution (older technique) | Script host — Microsoft signed |
SPL — detect abnormal rundll32 activity (System Event 4688):
index=windows sourcetype="WinEventLog:Security" EventCode=4688
| search NewProcessName="*rundll32.exe" AND CommandLine!="*"
| where NOT CommandLine LIKE "*\\system32\\*"
| eval alert = "Rundll32 from non-standard path on " . Computer . " — possible Cobalt Strike injection"
| table _time, Computer, NewProcessName, CommandLine, alertArtifact Kit Detection
Cobalt Strike’s Artifact Kit generates payload executables (shellcode loaders). The default artifacts contain distinctive byte sequences that EDR and AV can detect.
| Artifact Type | Description | Detection Method |
|---|---|---|
| Reflective DLL loader | Injects shellcode into memory without a file on disk | YARA rule matching reflective loader patterns |
| Shellcode runner | Loads the Beacon payload from an encrypted blob | Sysmon Event ID 7 (Image loaded) — unexpected DLL load |
| Win32 Executable artifact | Compiled shellcode stager | YARA — known Cobalt Strike header patterns |
| PowerShell stager | PowerShell script that downloads and executes Beacon | PowerShell ScriptBlock Logging (Event ID 4104) |
YARA rule — detect Cobalt Strike payload artifacts:
rule CobaltStrike_ReflectiveLoader {
meta:
description = "Detects Cobalt Strike reflective DLL loader"
author = "WYZSec"
reference = "Known Cobalt Strike artifact pattern"
strings:
$reflective = "ReflectiveLoader"
$beacon = "beacon" nocase
$pipename = "\\\\.\\pipe\\msagent" nocase
$sleep = { 48 85 C0 74 05 48 8B 08 EB 03 48 8B 08 } // Sleep token pattern
condition:
$reflective or ($beacon and $pipename) or $sleep
}C2 Detection — DNS Beacon
Cobalt Strike supports DNS beacons as a low-and-slow alternative to HTTP/HTTPS. DNS beacons use TXT, A, or AAAA queries to exfiltrate data and receive commands.
DNS Beacon Patterns
| Signal | What to Look For |
|---|---|
| High TXT query volume | Beacon uses TXT records to receive tasks. More TXT queries than expected by default |
| Subdomain encoding | Beacon encodes data in subdomains: beaconID.data.checksum.c2domain.com |
| Regular DNS intervals | DNS queries at regular time intervals — beacon sleep cycle |
| DNS queries to unusual NS | Beacon configured to use specific DNS servers, not the default resolver |
Detection — DNS TXT query analysis:
index=zeek sourcetype=dns.log
| search qtype_name=TXT
| eval domain_length = len(query)
| where domain_length > 30
| stats count by query, id.orig_h
| where count > 5
| eval alert = "Excessive TXT queries to " . query . " from " . id.orig_h . " — possible DNS beacon"
| table id.orig_h, query, count, alert
| sort - countDetection Reference Table
| Detection Layer | Signal | Source | Reliability |
|---|---|---|---|
| Network | Regular beacon timing | Zeek conn.log / NetFlow | Medium — legitimate apps also beacon |
| Network | Known JA3 hash | Zeek ssl.log | High — but Malleable C2 changes this |
| Network | HTTP header anomalies | Proxy logs / Zeek http.log | Medium — depends on profile knowledge |
| Network | DNS TXT anomalies | Zeek dns.log | High — DNS beacons are rare in normal traffic |
| Host | Named pipe creation (msagent_*) | Sysmon Event ID 17/18 | Very High — specific to Cobalt Strike |
| Host | Suspicious rundll32/spoolsv behavior | Windows 4688 / Sysmon Event ID 1 | Medium — many tools trigger this |
| Host | Process injection indicators | Sysmon Event ID 8 / 10 | High — requires correlation |
| Host | YARA signature on memory | EDR / Velociraptor | High — signature-dependent |
| Host | PowerShell stager artifacts | Event ID 4104 | High — ScriptBlock Logging |
| Behavioral | Beacon + named pipe + process injection | Multi-source correlation | Very High — the full chain |
Mitigation and Hardening
| Control | What It Blocks | Priority |
|---|---|---|
| Disable PowerShell ScriptBlock Logging bypass | Prevents PowerShell stagers from running undetected | Critical |
| Enable Sysmon with full Cobalt Strike rules | Detects named pipes, process injection, process access | Critical |
| Deploy EDR with behavioral detection | Detects beacon behavior, not just signatures | High |
| Egress filtering (DNS, HTTP/HTTPS inspection) | Blocks unknown C2 protocols and channels | High |
| Application allowlisting | Blocks rundll32/mshta/regsvr32 being used for code execution | Medium |
| Network segmentation | Limits lateral movement after initial Beacon execution | Medium |
Related
- RITA — detection and response for T1071 techniques
- Sysmon — detection and response for T1654 techniques
- Common Ports and Protocols — covers the common ports and protocols concepts
- DNS — detection and response for T1572, T1568 techniques
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques