security analyst security skill risk: medium
Cobalt Strike Beacon Network Detection
The prompt provides steps to detect Cobalt Strike beacons via TLS certificate analysis, beacon interval analysis, HTTP profile matching, and multi-indicator scoring using Zeek logs…
SKILL 4 files · 2 folders
SKILL.md
--- name: hunting-for-cobalt-strike-beacons description: "Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM" --- # Hunting for Cobalt Strike Beacons ## Overview Cobalt Strike is the most prevalent command-and-control framework used by both red teams and threat actors. Beacon, its primary payload, communicates with team servers using configurable HTTP/HTTPS/DNS profiles that can mimic legitimate traffic. However, default configurations and behavioral patterns remain detectable through TLS certificate analysis (default serial 8BB00EE), JA3/JA3S fingerprinting, beacon interval jitter analysis, and HTTP malleable profile pattern matching. This skill covers building detection capabilities using Zeek network logs, Suricata IDS rules, and Python-based PCAP analysis to identify beacon callbacks in network traffic. ## When to Use - When investigating security incidents that require hunting for cobalt strike beacons - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Zeek 6.0+ with JA3 and HASSH packages installed - Suricata 7.0+ with Emerging Threats ruleset - Python 3.9+ with scapy and dpkt libraries - Network traffic captures (PCAP) or live Zeek logs - RITA (Real Intelligence Threat Analytics) for beacon scoring - Threat intelligence feeds with known Cobalt Strike IOCs ## Steps ### Step 1: TLS Certificate Analysis Detect default Cobalt Strike certificates using JA3S fingerprints, certificate serial numbers, and JARM fingerprints in Zeek ssl.log. ### Step 2: Beacon Interval Analysis Analyze connection timing patterns to identify regular callback intervals with configurable jitter, characteristic of beacon behavior. ### Step 3: HTTP Profile Detection Match HTTP request patterns (URI paths, headers, user-agents) against known malleable C2 profiles. ### Step 4: Correlate and Score Combine multiple indicators (TLS + timing + HTTP profile) into a composite beacon confidence score. ## Expected Output JSON report containing detected beacon candidates with confidence scores, TLS fingerprints, timing analysis, HTTP profile matches, and recommended response actions.
REQUIRED CONTEXT
- Zeek logs or PCAPs
- Suricata ruleset
OPTIONAL CONTEXT
- threat intel IOCs
EXPECTED OUTPUT
- Format
- structured_report
- Schema
- json_schema · detected beacon candidates, confidence scores, TLS fingerprints, timing analysis, HTTP profile matches, recommended response actions
- Constraints
- JSON report with confidence scores, fingerprints, timing analysis, profile matches, and response actions
CAVEATS
- Dependencies
- Zeek 6.0+ with JA3 and HASSH packages installed
- Suricata 7.0+ with Emerging Threats ruleset
- Python 3.9+ with scapy and dpkt libraries
- Network traffic captures (PCAP) or live Zeek logs
- RITA (Real Intelligence Threat Analytics) for beacon scoring
- Threat intelligence feeds with known Cobalt Strike IOCs
- Missing context
- Exact Zeek/Suricata queries or Python snippets
- Detailed JSON schema for the expected report
- Ambiguities
- Steps describe goals but provide no concrete commands, queries, or code.
- Does not specify input format (PCAP path, log directory, etc.).
QUALITY
- OVERALL
- 0.58
- CLARITY
- 0.82
- SPECIFICITY
- 0.68
- REUSABILITY
- 0.28
- COMPLETENESS
- 0.62
IMPROVEMENT SUGGESTIONS
- Add concrete example queries or code blocks under each step.
- Define the precise JSON structure and field names for the expected output.
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR SECURITY ANALYST
- Ransomware Network Indicators Analyzersecurity analystsecurity
- APT TTP Mapping with MITRE Navigatorsecurity analystsecurity
- Linux Persistence Mechanisms Analyzersecurity analystsecurity
- Azure AD Lateral Movement KQL Detectorsecurity analystsecurity
- Kerberos Golden Ticket Forgery Detectorsecurity analystsecurity
- LOLBAS Abuse Detection with Sigma Rulessecurity analystsecurity
- Shadow IT Cloud Usage Detectorsecurity analystsecurity
- Registry Run Key Persistence Detection Guidesecurity analystsecurity
- Detect Risky OAuth Consent Grants in Entra IDsecurity analystsecurity
- Windows Service Installation Threat Huntersecurity analystsecurity
- Web Server Log Intrusion Analyzersecurity analystsecurity
- RDP Brute Force Event Log Analyzersecurity analystsecurity
- Rekall Memory Forensics Artifact Extractorsecurity analystsecurity
- Azure Activity Logs Threat Analyzersecurity analystsecurity
- Scapy Network Packet Analysis Guidesecurity analystsecurity
- TLS Certificate Transparency Log Analyzersecurity analystsecurity
- Cobalt Strike Malleable C2 Profile Analyzersecurity analystsecurity
- Email Account Compromise Detection Proceduressecurity analystsecurity
- Credential Stuffing Auth Log Analyzersecurity analystsecurity
- MISP Threat Intelligence Sharing with PyMISPsecurity analystsecurity
- MISP Threat Landscape Analysis Guidesecurity analystsecurity
- Malicious Scheduled Task Sysmon Detectorsecurity analystsecurity
- Kerberos Pass-the-Ticket Attack Detectorsecurity analystsecurity
- NTLM Relay Attack Event Log Analyzersecurity analystsecurity
- Linux Memory Forensics with LiME and Volatilitysecurity analystsecurity