OpenSkillIndex← back to search
claude-code

Anthropic-Cybersecurity-Skills hunting-for-cobalt-strike-beacons

Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM

install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/hunting-for-cobalt-strike-beacons" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-hunting-for-cobalt-strike-beacons && rm -rf "$T"
manifest: skills/hunting-for-cobalt-strike-beacons/SKILL.md
source content

Hunting for Cobalt Strike Beacons

Overview

Cobalt Strike is the most prevalent command-and-control framework used by both red teams and threat actors. Beacon, its primary payload, communicates with team servers using configurable HTTP/HTTPS/DNS profiles that can mimic legitimate traffic. However, default configurations and behavioral patterns remain detectable through TLS certificate analysis (default serial 8BB00EE), JA3/JA3S fingerprinting, beacon interval jitter analysis, and HTTP malleable profile pattern matching. This skill covers building detection capabilities using Zeek network logs, Suricata IDS rules, and Python-based PCAP analysis to identify beacon callbacks in network traffic.

When to Use

  • When investigating security incidents that require hunting for cobalt strike beacons
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Zeek 6.0+ with JA3 and HASSH packages installed
  • Suricata 7.0+ with Emerging Threats ruleset
  • Python 3.9+ with scapy and dpkt libraries
  • Network traffic captures (PCAP) or live Zeek logs
  • RITA (Real Intelligence Threat Analytics) for beacon scoring
  • Threat intelligence feeds with known Cobalt Strike IOCs

Steps

Step 1: TLS Certificate Analysis

Detect default Cobalt Strike certificates using JA3S fingerprints, certificate serial numbers, and JARM fingerprints in Zeek ssl.log.

Step 2: Beacon Interval Analysis

Analyze connection timing patterns to identify regular callback intervals with configurable jitter, characteristic of beacon behavior.

Step 3: HTTP Profile Detection

Match HTTP request patterns (URI paths, headers, user-agents) against known malleable C2 profiles.

Step 4: Correlate and Score

Combine multiple indicators (TLS + timing + HTTP profile) into a composite beacon confidence score.

Expected Output

JSON report containing detected beacon candidates with confidence scores, TLS fingerprints, timing analysis, HTTP profile matches, and recommended response actions.