creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 03:34:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-cobalt-strike-beacon-configuration/assets/template.md
T

2.1 KiB
Raw Blame History

Cobalt Strike Beacon Analysis Report Template

Report Metadata

Field Value
Report ID CS-BEACON-YYYY-NNNN
Date YYYY-MM-DD
Sample Hash (SHA-256)
Classification TLP:AMBER
Analyst

Beacon Configuration Summary

Setting Value
Beacon Type HTTP / HTTPS / SMB / DNS
C2 Server(s)
Port
Sleep Time ms
Jitter %
User-Agent
Watermark
SpawnTo (x86)
SpawnTo (x64)
Named Pipe
Host Header
Crypto Scheme

C2 Infrastructure

Indicator Type Value Context
C2 Domain domain Primary callback
C2 IP ip Resolved address
URI Path (GET) uri Beacon check-in
URI Path (POST) uri Data exfiltration

Malleable C2 Profile

HTTP GET Configuration

Parameter Value
URI
Verb
Headers
Metadata Encoding

HTTP POST Configuration

Parameter Value
URI
Verb
ID Encoding
Output Encoding

Watermark Attribution

Watermark Known Association Confidence
Cracked / Licensed / Threat Actor High/Med/Low

Network Detection Signatures

# Suricata signature for beacon C2 traffic
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"Cobalt Strike Beacon C2 Communication";
    content:"[USER_AGENT]"; http_user_agent;
    content:"[URI_PATH]"; http_uri;
    sid:1000001; rev:1;
)

YARA Detection Rule

rule CobaltStrike_Beacon_[CAMPAIGN] {
    meta:
        description = "Detects Cobalt Strike beacon from [CAMPAIGN]"
        hash = "[SHA256]"
    strings:
        $c2 = "[C2_DOMAIN]" ascii
        $pipe = "[NAMED_PIPE]" ascii
        $ua = "[USER_AGENT]" ascii
    condition:
        2 of them
}

Recommendations

  1. Block: Add C2 domains/IPs to firewall deny lists
  2. Hunt: Search for named pipe and spawn-to process in endpoint logs
  3. Detect: Deploy YARA and network signatures to detection stack
  4. Correlate: Check watermark against threat intelligence databases
Reference in New Issue View Git Blame Copy Permalink