Detect Cobalt Strike beacon network activity
hunting-for-cobalt-strike-beaconsskillsetup L2★14,842
mukul975/Anthropic-Cybersecurity-Skills ↗What it does
Detect Cobalt Strike beacon network activity
Best for
When hunting ransomware C2 infrastructure using TLS fingerprints and beacon timing.
Inputs
- · Zeek ssl.log or PCAP
- · HTTP request logs
Outputs
- · JSON beacon confidence scores
- · TLS fingerprints
- · timing analysis
Requires
- · Zeek
- · Suricata
- · RITA
- · Python PCAP tools (scapy, dpkt)
Preconditions
Network captures or Zeek logs available; threat intelligence feeds loaded
Failure modes
False positives from legitimate TLS configs; beacon jitter defeats timing analysis; encrypted traffic opacity
Trust signals
- · mukul975/Anthropic-Cybersecurity-Skills
- · NIST/MITRE ATT&CK alignment