{ "id": "c2201d19-0dc2-4111-9bdf-ddadff9fb769", "created_at": "2026-04-06T00:06:33.468814Z", "updated_at": "2026-04-10T03:37:32.936914Z", "deleted_at": null, "sha1_hash": "45213dc42215f5e804142c9d8bca148d8a8f4259", "title": "Detecting Cobalt Strike Beacons", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1393700, "plain_text": "Detecting Cobalt Strike Beacons\r\nBy SOCFortress\r\nPublished: 2022-02-20 · Archived: 2026-04-05 19:04:00 UTC\r\nIntroduction\r\nCobalt Strike is a commercial tool for adversary simulation.\r\nCreated by Raphael Mudge in 2012, Cobalt Strike was one of the first public red team command and control\r\nframeworks.\r\nIt’s also used by threat actors and the first activity detected for malicious purposes dates back to 2016.\r\nThe main components of Cobalt Strike are a C2 server and a beacon installed on compromised machines.\r\nThe Cobalt Strike beacon comes with a number of capabilities, including a command-line interface. The beacon\r\nallows the execution of scripts, or commands native to the machine’s operating system.\r\nCobalt strike for malicious purposes is known to be used by more than 50 threat actor groups. Its use is very\r\ncommon in ransomware attacks.\r\nIn terms of beacon types and methods used for connecting to the C2 servers the most common are HTTP (~67%),\r\nHTTPS (~29%) and DNS (~3%). Including JITTER in the beacon trying to avoid detection has been detected in\r\nroughly 15% of all the beacons analysed.\r\nWhen it comes to spawning, around 90% of all beacons analysed were spawning rundll32.exe as the main process\r\nfor lateral movement.\r\nSophisticated attacks using Cobalt strike beacons, like Nobelium usage of Cobalt strike linked to the SolarWinds\r\ncampaign, try to evade detection by fine-tuning many of the configurable options.\r\nPREVENTION, DETECTION AND RESPONSE TOOLS\r\nStatic File Hash analysis: Windows Defender.\r\nEndpoint Telemetry: Sysmon (Sysinternals).\r\nEDR agent and SIEM: Wazuh.\r\nThreat Intel platform: MISP\r\nPREVENTION.\r\nhttps://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nPage 1 of 9\n\nMany of the Cobalt Strike beacons in the wild and additional payloads downloaded as part of the attack chain are\r\ngoing to be flagged and removed by Windows Defender via local file analysis (file hash) or its real time analysis\r\nengine.\r\nFrom a prevention point of view some key points are:\r\nCollecting, reviewing and alerting on Windows Defender Settings not matching minimum criteria (Real\r\nTime, Enabled, Exclusion extensions, Excluded folders, removable media, etc.). Deploy an inventory\r\ncollection script (more info here) and alert on inadequate settings.\r\nPress enter or click to view image in full size\r\nWindows Defender Settings\r\nEnsuring that the antimalware platform is running and in a healthy state\r\nPress enter or click to view image in full size\r\nhttps://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nPage 2 of 9\n\nInformation level events — Process running and in healthy state\r\nEnsuring that Windows Defender is successfully downloading and updating the latest file signatures\r\nPress enter or click to view image in full size\r\nInformation level events — Signatures Updated\r\nEnsuring that periodic scans are run in all agents and completed successfully.\r\nPress enter or click to view image in full size\r\nInformation level events — Periodic scans\r\nhttps://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nPage 3 of 9\n\nDETECTION.\r\nNetwork Activity\r\nCommunication to C2 Server:\r\nSuspicious processes (“winlogon.exe”, “rundll32.exe”, etc.) opening network connections to public IP\r\naddresses.\r\nDetection Logic\r\nKeep track and alert on unusual processes (least seen) opening network connections. Special attention to HTTP,\r\nHTTPS and DNS outbound connections. Sysmon (event ID 3) provides all the required telemetry:\r\nPress enter or click to view image in full size\r\nNetwork Activity — Least Seen Processes\r\nVisualisations such as network maps linking Process — DST IP — Connection port can help to quickly identify\r\nanomalies:\r\nPress enter or click to view image in full size\r\nhttps://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nPage 4 of 9\n\nNetwork Activity — Process Map\r\nKeep track of downloaded payloads (.js files, .gif files, etc.). Sysmon (Event ID 15) provides this telemetry.\r\nPress enter or click to view image in full size\r\nNetwork Activity — Sysmon Event 15\r\nSend relevant observables (DNS requests, Destination IPs, files hashes of downloaded files) to security\r\nfeeds/threat intel platform to identify IoCs related to these observables. More info here.\r\nProcess Activity.\r\nrundll32.exe:\r\nGet SOCFortress’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nUsed in Lateral Movement by Cobalt Strike beacons: rundll32.exe being spawned by another process(es) and its\r\nprocess execution included no arguments.\r\nDetection Logic\r\nKeep track and alert on unusual processes spawning rundll32.exe\r\nhttps://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nPage 5 of 9\n\nPress enter or click to view image in full size\r\nProcesses Spawning Rundll32.exe\r\nUsed in Post Exploitation in Cobalt strike related attacks: rundll32.exe spawning processes like Adfind.exe,\r\nNet.exe, or any other Windows processes used for systems, services or network discovery.\r\nParent Process Spoofing:\r\nParent process spoofing is a common technique used by Cobalt Strike beacons. With this technique the beacon\r\ntries to evade common detection methods such as processes related to the Office suite launching unusual child\r\nprocesses.\r\nCobalt strike beacons often spoof processes like “word.exe”, or “excel.exe” to “explorer.exe” so that when the\r\nchild process is launched the telemetry reported by the EDR agent makes the detection of unusual process chains\r\ndifficult.\r\nDetection Logic\r\nKeep track on unique file hashes (process image) and their mapping to file process image name and location.\r\nSpoofed processes will have same process name but different file hash and possibly executed from an unusual\r\nlocation.\r\nPress enter or click to view image in full size\r\nhttps://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nPage 6 of 9\n\nUNIQUE RELATIONSHIP PROCESS FILE HASH — PROCESS EXECUTED\r\nSend relevant observables (file hash of the executed file image) to security feeds/threat intel platform to identify\r\nIoCs related to these observables. More info here.\r\nPowershell execution (and command line arguments).\r\nSuspicious command line arguments used:\r\nnop, hidden, encodedcommand, nologo, noprofile\r\nThe “encodedcommand” (base64) can be extracted and its literal content further analysed, looking for commands\r\nlike “Net.Webclient”, “Invoke-WebRequest”, etc., commonly used for lateral movement on the source machine.\r\nOn the destination machine, a common detection is spotting powershell executions where the parent process =\r\n“wsmprovhost.exe” and with a command line = “-Version 5.1 -s -nologo -noprofile”\r\nDetection Logic\r\nDetection rule to spot powershell executions with the encodedcommand command line and decode the content of\r\nthe base64 string to “clear text”. Include the decoded command as an additional alert in Wazuh manager.\r\nMemory artifacts / Process Injection.\r\nDownloaded payloads try to be executed under the memory space of “Rundll32.exe”.\r\nDetection Logic\r\nKeep track and alert on unsigned DLLs or with no valid certificate loaded into memory. Sysmon (Event ID 7)\r\nprovides this telemetry:\r\nPress enter or click to view image in full size\r\nhttps://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nPage 7 of 9\n\nUnsigned DLLs loaded in memory.\r\nVisualisations such as DLL side loading maps linking Process —DLL — DLL vendor can help to quickly identify\r\nanomalies:\r\nPress enter or click to view image in full size\r\nProcess and DLL side loading map.\r\nSend relevant observables (DLL file hash) to security feeds/threat intel platform to identify IoCs related to these\r\nobservables. More info here.\r\nLateral Movement.\r\nPSEXEC is one of the most common processes used by Cobalt strike beacons for lateral movement.\r\nPSEXEC is used to drop a payload in a shared folder (normally ADMIN$) and then to start a new service on the\r\ntarget machine that executes that payload. The payload will spawn another process and finally the remote service\r\nis removed.\r\nDetection Logic\r\nDetection rules based on frequency alerting on service creation/modification/deletion activity:\r\nPress enter or click to view image in full size\r\nhttps://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nPage 8 of 9\n\nSystem Services Activity and Telemetry.\r\nKeep track and alert on unusual executables launched by services.exe.\r\nSend relevant observables (process file hash) to security feeds/threat intel platform to identify IoCs related to these\r\nobservables. More info here.\r\nSource: https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nhttps://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654" ], "report_names": [ "detecting-cobalt-strike-beacons-3f8c9fdcb654" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433993, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/45213dc42215f5e804142c9d8bca148d8a8f4259.pdf", "text": "https://archive.orkl.eu/45213dc42215f5e804142c9d8bca148d8a8f4259.txt", "img": "https://archive.orkl.eu/45213dc42215f5e804142c9d8bca148d8a8f4259.jpg" } }