{ "id": "af6b7b81-2082-4d38-973f-f837537248f2", "created_at": "2026-04-06T00:22:15.993314Z", "updated_at": "2026-04-10T03:35:12.501039Z", "deleted_at": null, "sha1_hash": "a46a79e85727c76e44c1035906ed9e24e1b4188a", "title": "Getting the Bacon from Cobalt Strike's Beacon | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1806277, "plain_text": "Getting the Bacon from Cobalt Strike's Beacon | CrowdStrike\r\nBy Kareem Hamdan and Lucas Miller\r\nArchived: 2026-04-05 23:11:19 UTC\r\nIn recent months, CrowdStrike® Services has observed a continued increase in the use of Cobalt Strike by eCrime and\r\nnation-state adversaries to conduct their operations following the initial access to victims’ environments. Cobalt Strike is a\r\ncommercially available post-exploitation framework developed for adversary simulations and red team operations and\r\nfeatures an easy-to-use interface. Although the vendor uses processes and technology measures in an effort to limit\r\ndistribution of Cobalt Strike to security professionals, adversaries have also been observed using Cobalt Strike. In the\r\nCrowdStrike 2020 Threat Hunting Report, The Falcon OverWatch team reported Cobalt Strike as the #2 most common\r\npenetration testing tool observed in the first half of 2020. A common feature used by adversaries is the Cobalt Strike\r\nframework client agent, known as Beacon. The Beacon client agent is executed in the memory space of a compromised\r\nsystem, typically leaving minimal on-disk footprints. This blog discusses CrowdStrike’s research and testing of Cobalt\r\nStrike’s Beacon in an isolated Active Directory domain to identify host-based indicators generated from the use of this tool.\r\nThis blog also enumerates and provides an explanation of host-based artifacts generated as a result of executing specific\r\nbuilt-in Beacon commands. The artifacts can be used to create detection and prevention signatures in Windows\r\nenvironments, aiding in the positive identification of remnants of Beacon execution.\r\nBeacon Behavior Summary\r\nAdversaries often execute a variety of Beacon commands once they establish a foothold within an environment. Beacon\r\ncommands can be used to spawn other Beacons on additional systems accessible to the initial Beacon, effectively furthering\r\npersistence in the target environment. Beacons can also be leveraged for remote access and execution.\r\nThe execution of the commands highlighted in this blog will generate a variety of Windows security events\r\ndepending on the context of the command: The Beacon commands jump psexec and jump psexec_psh will\r\ngenerate an EID 7045 (Service Installation) from System.evtx .\r\nThe additional commands will generate an EID 400 event log (PowerShell Engine Startup) from Windows\r\nPowerShell.evtx .\r\nThe majority of PowerShell Engine Startup events generated by Cobalt Strike will have the HostApplication field begin\r\nwith a command prefix. With the default configuration that command prefix is powershell -nop -exec -bypass -\r\nEncodedCommand . Although this prefix is configurable, CrowdStrike has observed adversaries leverage the default\r\nconfiguration in multiple incident response (IR) engagements.\r\nBeacon Commands\r\nAs part of our research, CrowdStrike Services evaluated the following Beacon commands, which are encountered frequently\r\nin incident response engagements:\r\npowershell and powershell-import\r\npowerpick\r\njump psexec\r\njump psexec_psh\r\njump winrm\r\nremote-exec wmi\r\nremote-exec powershell\r\nIn the following sections we’ll review the purpose behind each of these commands, and the artifacts generated that may be\r\nuseful for security analysts and threat hunters.\r\nThe powershell and powershell-import Commands\r\nBoth of these commands have a similar aim: to allow the user to execute PowerShell scripts on the target system. The\r\npowershell Beacon command executes commands written in PowerShell within the Cobalt Strike framework. When a red\r\nteamer or an adversary executes a command within a Beacon session, the operating system will generate an EID 400 event\r\nlog (PowerShell Engine Startup) on the system that the command is executed on. The powershell-import Beacon\r\ncommand imports a PowerShell script into the Beacon session. In several WastedLocker ransomware attacks, CrowdStrike\r\nServices\u003c1\u003e observed evidence of the network discovery tool PowerView imported by adversaries shortly after establishing\r\na Beacon on a compromised system. The file system artifacts that are generated will vary depending on whether the\r\npowershell command is executed before or after the powershell-import command.\r\nArtifacts generated before powershell-import\r\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nPage 1 of 9\n\nFigure 1 shows an example of the EID 400 event log generated by the execution of the powershell command before a\r\nscript has been imported with powershell-import . The base64 encoded command decodes to ls, the command that was\r\nexecuted via the powershell command.\r\nObservations of powershell before powershell-import :\r\nThe HostApplication field is set to powershell -nop -exec -bypass -EncodedCommand \u003cbase64-encoded-command\u003e\r\nThe Base64 encoded command decodes to the \u003ccommand\u003e executed\r\nFigure 1. Artifact generated by the powershell command before powershell-import is executed (click image to enlarge)\r\nAn example of the observed artifact as shown in Figure 1:\r\nHostApplication=powershell -nop -exec Bypass -EncodedCommand bABzAA== Decoded Base64 Command: ls\r\nArtifacts generated after powershell-import\r\nFigure 2, shows an example of the EID 400 generated on the compromised system after execution of the powershell\r\ncommand after a script was imported with powershell-import. The base64 encoded command decodes to IEX (New-Object\r\nNet.Webclient).DownloadString('http://127.0.0.1:22426/'); ls . The IEX (New-Object\r\nNet.Webclient).DownloadString('http://127.0.0.1:22426/') component of the base64 encoded command is how Cobalt Strike\r\nmanages imported PowerShell scripts within a Beacon session. The rest of the command, after the DownloadString\r\ncomponent, is the PowerShell command run by the adversary.\r\nObservations from powershell after powershell-import :\r\nThe HostApplication field is set to powershell -nop -exec -bypass -EncodedCommand \u003cbase64-encoded-command\u003e\r\nThe base64 encoded command decodes to IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:\r\n\u003cephemeral-port-number\u003e/'); \u003ccommand\u003e\r\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nPage 2 of 9\n\nFigure 2. Artifact generated by the powershell command after powershell-import is executed (click image to enlarge)\r\nAn example of the observed artifact as shown in Figure 2:\r\nHostApplication=powershell -nop -exec Bypass -EncodedCommand\r\nSQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAO\r\nBase64 Command: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:24192/'); ls\r\nThe powerpick Command\r\nThe powerpick Beacon command executes unmanaged PowerShell on a compromised system. It provides a way to execute\r\na PowerShell command without invoking powershell.exe . When a red teamer or adversary executes the powerpick\r\ncommand through a Beacon session, the filesystem will generate an EID 400 event log (PowerShell Engine Startup) on the\r\ncompromised system. CrowdStrike observed that the EID 400 event log generated by executing the powerpick command\r\nwill contain a mismatch between the version number in the HostVersion and EngineVersion event log fields. The event\r\ngenerated will also have the path to the rundll32.exe executable in the HostApplication field, as it is the default\r\nprogram that a Beacon will use to create a new process.\r\nObservations of powerpick :\r\nHostName field is set to ConsoleHost\r\nHostApplication field is set to the file path of rundll32.exe\r\nThe HostVersion and EngineVersion fields are set to different values\r\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nPage 3 of 9\n\nFigure 3. Artifact generated by the powerpick Beacon command when executed (click image to enlarge)\r\nAn example of the observed artifact as shown in Figure 3:\r\nHostName=ConsoleHost HostApplication=C:\\windows\\sysnative\\rundll32.exe HostVersion=1.0\r\nEngineVersion=5.1.17763.1\r\nThe jump psexec Command\r\nThe jump psexec Beacon command establishes an additional Beacon on a remote system. When an adversary executes the\r\njump psexec command through a Beacon session, the filesystem will generate an EID 7045 event log (Service Installation)\r\non the remote system.\r\nObservations of jump psexec :\r\nThe Service Name field is set to \u003c7-alphanumeric-characters\u003e\r\nThe Service File Name field is set to \\\\127.0.0.1\\ADMIN$\\\u003c7-alphanumeric-characters\u003e.exe\r\nFigure 4. Artifact generated by the jump psexec Beacon command when executed on the remote system prior to version\r\n4.1 of Cobalt Strike (click image to enlarge)\r\nAn example of the observed artifact as shown in Figure 4:\r\nService Name: af5ce43 Service File Name: \\\\127.0.0.1\\ADMIN$\\af5ce43.exe\r\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nPage 4 of 9\n\nBy default, events generated by the jump psexec Beacon command using versions of Cobalt Strike prior to version 4.1 will\r\nhave the 127.0.0.1 localhost string in the value of the “Service File Name,” an example of this is\r\n\\\\127.0.0.1\\ADMIN$\\7f5747a.exe . Events generated with version 4.1+ of Cobalt Strike will contain the destination\r\ncomputer’s IP address in the “Service File Name” by default and an example of this is \\\\10.0.0.16\\ADMIN$\\9a845c4.exe .\r\nIn that example 10.0.0.16 is the IP address assigned to the target system.\r\nObservations of jump psexec after version 4.1 of Cobalt Strike:\r\nThe Service Name field is set to \u003c7-alphanumeric-characters\u003e\r\nThe Service File Name field is set to \\\\\u003cSystem-IPAddress\u003e\\ADMIN$\\\u003c7-alphanumeric-characters\u003e.exe\r\nFigure 5. Artifact generated by the jump psexec Beacon command when executed on the remote system created by version\r\n4.1+ of Cobalt Strike (click image to enlarge)\r\nThe jump psexec_psh Command\r\nThe jump psexec_psh command establishes an additional Beacon on a remote system via the Windows Service Control\r\nManager. The jump_psexec command creates and starts a service that executes a base64 encoded PowerShell Beacon\r\nstager, which generates an EID 7045 event log (Service Installation) on the remote system. The EID 7045 event log created\r\nby the jump psexec_psh command has a seven-character alphanumeric value for the “Service Name” field of the created\r\nevent. The “Service File Name” field starts with the default Cobalt Strike prefix for PowerShell services %COMSPEC% /b /c\r\nstart /b /min powershell -nop -w hidden -encodedcommand .\r\nObservations of jump psexec_psh :\r\nThe Service Name field is set to \u003c7-alphanumeric-characters\u003e\r\nThe Service File Name field is set to %COMSPEC% /b /c start /b /min powershell -nop -w hidden -\r\nencodedcommand \u003cbase64-encoded-command\u003e\r\nThe base64 encoded command decodes to a PowerShell stager for a Cobalt Strike Beacon\r\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nPage 5 of 9\n\nFigure 6. Artifact generated by the jump psexec_psh Beacon command when executed on the remote system (click image\r\nto enlarge)\r\nAn example of the observed artifact as shown in Figure 6:\r\nService Name: 9df3724 Service File Name: %COMSPEC% /b /c start /b /min powershell -nop -w hidden -\r\nencodedcommand JABzA\u003cRedacted\u003e\r\nThe jump winrm Command\r\nThe jump winrm Beacon command establishes a Beacon on a remote system utilizing the Windows Remote Management\r\n(WinRM) interface (native on all Windows devices). When the jump winrm Beacon command is executed by an adversary\r\nthrough a Beacon session, the filesystem will generate an EID 400 event log (PowerShell Engine Startup) on the\r\ncompromised system. The event created will contain the Cobalt Strike PowerShell command prefix in the\r\nHostApplication field. The generated event is not affected by the usage of any of the PowerShell-related Beacon\r\ncommands.\r\nObservations of jump winrm on the compromised system:\r\nThe HostApplication field is set to powershell -nop -exec -bypass -EncodedCommand \u003cbase64-encoded-command\u003e\r\nThe base64 encoded command decodes to IEX (New-Object Net.Webclient).DownloadString(‘http://127.0.0.1:\r\n\u003cephemeral-port-number\u003e/’)\r\nFigure 7. Artifact generated by the jump winrm Beacon command when executed, on the compromised system (click image\r\nto enlarge)\r\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nPage 6 of 9\n\nAn example of the observed artifact as shown in Figure 7:\r\nHostApplication=powershell -nop -exec bypass -EncodedCommand\r\nSQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAO\r\nBase64 Command: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:28345/')\r\nIf a WinRM listener is not present on the remote system when the jump winrm command is executed, Cobalt Strike will\r\ncreate an EID 400 event log on the remote system, as shown in Figure 7.\r\nObservations of an event created by jump winrm on the remote system:\r\nThe HostApplication field is set to \u003cpath-to-PS-executable\u003e -Version \u003cPS-Version\u003e -s -NoLogo -NoProfile\r\nFigure 8. Artifact generated by the jump winrm Beacon command when executed on the remote system (click image to\r\nenlarge)\r\nAn example of the observed artifact as shown in Figure 8:\r\nHostApplication=c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r\nThe remote-exec wmi Command\r\nThe remote-exec wmi Beacon command executes a command on a remote system via WMI. When the remote-exec wmi\r\ncommand is executed, the filesystem will generate an EID 400 event log (PowerShell Engine Startup) on the compromised\r\nsystem with the standard Cobalt Strike PowerShell command prefix in the HostApplication field.\r\nObservations of remote-exec wmi :\r\nThe HostApplication field is set to powershell -nop -exec Bypass -EncodedCommand \u003cbase64-encoded-command\u003e\r\nThe base64 encoded command decodes to Invoke-WMIMethod win32_process -name create -argumentlist\r\n'\u003ccommand\u003e' -ComputerName \u003ctarget\u003e\r\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nPage 7 of 9\n\nFigure 9. Artifact generated by the remote-exec wmi Beacon command when executed on the compromised system (click\r\nimage to enlarge)\r\nAn example of the observed artifact as shown in Figure 9:\r\nHostApplication=powershell -nop -exec Bypass -EncodedCommand\r\nSQBuAHYAbwBrAGUALQBXAE0ASQBNAGUAdABoAG8AZAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAG4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AYQByAGcAdQBtAGUAb\r\nBase64 Command: Invoke-WMIMethod win32_process -name create -argumentlist 'whoami' -ComputerName WIN10\r\nThe remote-exec powershell Command\r\nThe remote-exec powershell Beacon command executes a command on a remote system via PowerShell remoting from a\r\ncompromised system. When the remote-exec powershell command is executed, the filesystem will generate an EID 400\r\nevent log (PowerShell Engine Startup) on the compromised system. The event created will contain the standard Cobalt\r\nStrike PowerShell command prefix in the HostApplication field.\r\nObservations of remote-exec powershell :\r\nThe HostApplication field is set to powershell -nop -exec Bypass -EncodedCommand \u003cbase64-encoded-command\u003e\r\nThe Base64 encoded command decodes to Invoke-Command -ComputerName \u003ctarget\u003e -ScriptBlock { \u003ccommand\u003e }\r\nFigure 10. Artifact generated by the remote-exec powershell Beacon command when executed on the compromised\r\nsystem (click image to enlarge)\r\nAn example of the observed artifact as shown in Figure 10:\r\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nPage 8 of 9\n\nHostApplication=powershell -nop -exec Bypass -EncodedCommand\r\nSQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAALQBDAG8AbQBwAHUAdABlAHIATgBhAG0AZQAgADEAMAAuADAALgAwAC4AMQAwACAALQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAI\r\nBase64 Command: Invoke-Command -ComputerName 10.0.0.10 -ScriptBlock { whoami }\r\nConclusions\r\nAlthough Cobalt Strike provides the operator a degree of freedom to configure some of the previously mentioned\r\ncommands, those features are not always leveraged by adversaries. Due to the high prevalence of Cobalt Strike in\r\ncontemporary intrusions, CrowdStrike recommends collecting EID 400 (PowerShell Engine Startup) and EID 7045 event\r\nlogs (Service Installation) for monitoring and alerting in a centralized security information and event management (SIEM)\r\nplatform. CrowdStrike also recommends upgrading to the most recent version of PowerShell and disabling previous\r\nversions, as PowerShell is backward compatible. While these additional security measures do not provide full visibility into\r\nCobalt Strike activity, they can aid in its detection. \u003c1\u003e CrowdStrike has previously reported on adversaries that use Cobalt\r\nStrike, such as COBALT SPIDER.\r\nAdditional Resources\r\nLearn more about the CrowdStrike Services team and how it can help your organization improve your cybersecurity\r\nreadiness.\r\nRead about the powerful CrowdStrike Falcon® platform by visiting the webpage.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/" ], "report_names": [ "getting-the-bacon-from-cobalt-strike-beacon" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434935, "ts_updated_at": 1775792112, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a46a79e85727c76e44c1035906ed9e24e1b4188a.pdf", "text": "https://archive.orkl.eu/a46a79e85727c76e44c1035906ed9e24e1b4188a.txt", "img": "https://archive.orkl.eu/a46a79e85727c76e44c1035906ed9e24e1b4188a.jpg" } }