Analyzing Cobalt Strike Beacon Configuration

Name: Analyzing Cobalt Strike Beacon Configuration
Author: mukul975

mukul975/anthropic-cybersecurity-skills

Turn extracted Cobalt Strike beacon artifacts into a structured attribution and detection report with C2, profile, and Suricata-ready fields.

Install

npx skills add https://github.com/mukul975/anthropic-cybersecurity-skills --skill analyzing-cobalt-strike-beacon-configuration

What is this skill?

Structured CS-BEACON report with TLP metadata and SHA-256 sample hash
Beacon settings table: type, C2, sleep, jitter, UA, watermark, SpawnTo, pipes
Separate HTTP GET/POST malleable C2 profile parameter blocks
C2 infrastructure indicator table (domain, IP, URI paths)
Watermark attribution matrix and starter Suricata HTTP alert stub

Adoption & trust: 1 installs on skills.sh; 14.9k GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Beacon configuration analysis is canonical on the Ship shelf because it hardens release and incident readiness before and after production exposure. Security subphase covers malware C2 review, detection signatures, and threat-intel style documentation tied to shipped or attacked environments.

Common Questions / FAQ

Is Analyzing Cobalt Strike Beacon Configuration safe to install?

skills.sh reports 2 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Analyzing Cobalt Strike Beacon Configuration

# Cobalt Strike Beacon Analysis Report Template

## Report Metadata
| Field | Value |
|-------|-------|
| Report ID | CS-BEACON-YYYY-NNNN |
| Date | YYYY-MM-DD |
| Sample Hash (SHA-256) | |
| Classification | TLP:AMBER |
| Analyst | |

## Beacon Configuration Summary

| Setting | Value |
|---------|-------|
| Beacon Type | HTTP / HTTPS / SMB / DNS |
| C2 Server(s) | |
| Port | |
| Sleep Time | ms |
| Jitter | % |
| User-Agent | |
| Watermark | |
| SpawnTo (x86) | |
| SpawnTo (x64) | |
| Named Pipe | |
| Host Header | |
| Crypto Scheme | |

## C2 Infrastructure

| Indicator | Type | Value | Context |
|-----------|------|-------|---------|
| C2 Domain | domain | | Primary callback |
| C2 IP | ip | | Resolved address |
| URI Path (GET) | uri | | Beacon check-in |
| URI Path (POST) | uri | | Data exfiltration |

## Malleable C2 Profile

### HTTP GET Configuration
| Parameter | Value |
|-----------|-------|
| URI | |
| Verb | |
| Headers | |
| Metadata Encoding | |

### HTTP POST Configuration
| Parameter | Value |
|-----------|-------|
| URI | |
| Verb | |
| ID Encoding | |
| Output Encoding | |

## Watermark Attribution

| Watermark | Known Association | Confidence |
|-----------|------------------|------------|
| | Cracked / Licensed / Threat Actor | High/Med/Low |

## Network Detection Signatures

```
# Suricata signature for beacon C2 traffic
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"Cobalt Strike Beacon C2 Communication";
    content:"[USER_AGENT]"; http_user_agent;
    content:"[URI_PATH]"; http_uri;
    sid:1000001; rev:1;
)
```

## YARA Detection Rule

```yara
rule CobaltStrike_Beacon_[CAMPAIGN] {
    meta:
        description = "Detects Cobalt Strike beacon from [CAMPAIGN]"
        hash = "[SHA256]"
    strings:
        $c2 = "[C2_DOMAIN]" ascii
        $pipe = "[NAMED_PIPE]" ascii
        $ua = "[USER_AGENT]" ascii
    condition:
        2 of them
}
```

## Recommendations

1. **Block**: Add C2 domains/IPs to firewall deny lists
2. **Hunt**: Search for named pipe and spawn-to process in endpoint logs
3. **Detect**: Deploy YARA and network signatures to detection stack
4. **Correlate**: Check watermark against threat intelligence databases



                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

   1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an examp

What is this skill?

Structured CS-BEACON report with TLP metadata and SHA-256 sample hash

Beacon settings table: type, C2, sleep, jitter, UA, watermark, SpawnTo, pipes

Separate HTTP GET/POST malleable C2 profile parameter blocks

C2 infrastructure indicator table (domain, IP, URI paths)

Watermark attribution matrix and starter Suricata HTTP alert stub

Adoption & trust: 1 installs on skills.sh; 14.9k GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Analyzing Cobalt Strike Beacon Configuration

# Cobalt Strike Beacon Analysis Report Template

## Report Metadata
| Field | Value |
|-------|-------|
| Report ID | CS-BEACON-YYYY-NNNN |
| Date | YYYY-MM-DD |
| Sample Hash (SHA-256) | |
| Classification | TLP:AMBER |
| Analyst | |

## Beacon Configuration Summary

| Setting | Value |
|---------|-------|
| Beacon Type | HTTP / HTTPS / SMB / DNS |
| C2 Server(s) | |
| Port | |
| Sleep Time | ms |
| Jitter | % |
| User-Agent | |
| Watermark | |
| SpawnTo (x86) | |
| SpawnTo (x64) | |
| Named Pipe | |
| Host Header | |
| Crypto Scheme | |

## C2 Infrastructure

| Indicator | Type | Value | Context |
|-----------|------|-------|---------|
| C2 Domain | domain | | Primary callback |
| C2 IP | ip | | Resolved address |
| URI Path (GET) | uri | | Beacon check-in |
| URI Path (POST) | uri | | Data exfiltration |

## Malleable C2 Profile

### HTTP GET Configuration
| Parameter | Value |
|-----------|-------|
| URI | |
| Verb | |
| Headers | |
| Metadata Encoding | |

### HTTP POST Configuration
| Parameter | Value |
|-----------|-------|
| URI | |
| Verb | |
| ID Encoding | |
| Output Encoding | |

## Watermark Attribution

| Watermark | Known Association | Confidence |
|-----------|------------------|------------|
| | Cracked / Licensed / Threat Actor | High/Med/Low |

## Network Detection Signatures

```
# Suricata signature for beacon C2 traffic
alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"Cobalt Strike Beacon C2 Communication";
    content:"[USER_AGENT]"; http_user_agent;
    content:"[URI_PATH]"; http_uri;
    sid:1000001; rev:1;
)
```

## YARA Detection Rule

```yara
rule CobaltStrike_Beacon_[CAMPAIGN] {
    meta:
        description = "Detects Cobalt Strike beacon from [CAMPAIGN]"
        hash = "[SHA256]"
    strings:
        $c2 = "[C2_DOMAIN]" ascii
        $pipe = "[NAMED_PIPE]" ascii
        $ua = "[USER_AGENT]" ascii
    condition:
        2 of them
}
```

## Recommendations

1. **Block**: Add C2 domains/IPs to firewall deny lists
2. **Hunt**: Search for named pipe and spawn-to process in endpoint logs
3. **Detect**: Deploy YARA and network signatures to detection stack
4. **Correlate**: Check watermark against threat intelligence databases



                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

   1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an examp

Install

What is this skill?

Recommended Skills

Journey fit

Is Analyzing Cobalt Strike Beacon Configuration safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Analyzing Cobalt Strike Beacon Configuration safe to install?

SKILL.md