Bringing home the beacon (from Cobalt Strike)


Elastic Security engineers have documented a less tedious way to find network beaconing from Cobalt Strike. In their full analysis ([1] [2]), Elastic Security team researchers Andrew Pease, Derek Ditch, and Daniel Stepanic walk users through the Elastic fleet policy, how to collect the beacon, beacon configuration, how to analyze its activity, and how you can set it up in your organization’s environment.

These two articles ([1] [2]) are ideal for helping security analysts identify, collect, and configure Cobalt Strike beacon payloads from an endpoint using Elastic. It is often difficult to collect the Cobalt Strike beacon payload from memory and extract its configuration to identify observables and cluster group activities, partially due to the tremendous amount of metadata the beacon’s configurations include.

The early stages of an intrusion usually include initial access, execution, persistence, and command-and-control (C2) beaconing. When structured threats use zero-days, these first two stages are often not detected, and it can often be challenging and time-consuming to identify persistence mechanisms left by an advanced adversary.

The information helps threat hunters and analysts monitor Cobalt Strike beaconing activity, but also provides useful indicators of compromise (IoCs) with which to start an investigation.

If you don’t have an Elastic Cloud cluster but would like to collect and configure the Cobalt Strike beacon, you can start a free 14-day trial of Elastic Cloud today.