Skip Navigation
BlackBerry ThreatVector Blog

All Your Beacon Are Belong to Us: New BlackBerry Book Cracks Code of Cobalt Strike Threat Actors

New BlackBerry Threat Intelligence book is now available for download

Cobalt Strike is a post-exploitation framework that was developed to emulate the greatest features of late-stage malware ecosystems and allow its users to simulate adversary actions. The adoption of Cobalt Strike by global threat actors, and the framework’s use in hundreds of genuine intrusions, ransoms, and data breaches, shows that Beacon has fought its way to the top. It currently sits on the throne as the reigning champ of all malware toolkits. If it works, it wins.

While Poison Ivy and Gh0st have gone out to pasture, Cobalt Strike and its core implant Beacon have stepped into the limelight. This forces analysts and researchers around the world to renew their approaches to collecting, processing, and sharing information about Cobalt Strike and its use in bulk.

Can you detect Cobalt Strike payloads before they execute? Or only after they execute? Can you detect the network C2 traffic? And when you see Cobalt Strike detections, can you differentiate between a red team engagement and a bona fide intrusion?

More proactively, can you develop intelligence on a Cobalt Strike wave before the first phishing email is sent your way? Can you identify a C2 server before the adversary builds its first payload? Can you extract additional intelligence directly from adversary-controlled infrastructure? These are questions that each organization must ask itself, and the team at BlackBerry is offering different ways to say yes.

Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence” is a labor of love by practitioners for practitioners. What began as a project to detect Cobalt Strike exploded into a full-blown automation platform for broad collection, processing, and data harvesting from Cobalt Strike team servers with corresponding Beacon payloads and their configuration details.

Through creating this system and analyzing the data en masse, the BlackBerry Research & Intelligence Team observed trends and developed a holistic picture of Cobalt Strike across many phases of the threat intelligence lifecycle. From static payload analysis to configs to server fingerprints to unique toolmarks, the authors of this book provide a practical and detailed look at the Cobalt Strike framework itself and then dive into examples that will help you understand how it gets used in the wild. There are some handy detection rules and scripts, as well.

There’s more than meets the eye in these pages, and through the lens of Cobalt Strike you may gain a better understanding of how threat actors tend to design, configure, and operate malware of all types. (Spoiler alert: ports 80, 443 and 8080 are malware config favorites for good reason – they are almost always “open” on network gear!)

If you’re like me, you’ll probably have fun spelunking through the details and operationalizing what you learn. I hope that this inspires you to become a part of the evolutionary pressure, and more broadly, I hope that this work serves as a model for how to build and share bulk intelligence analysis about prolific malware families.

~Steve Miller (@stvemillertime)
Researcher, Stairwell Inc.
Ithaca, New York

Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence is now available for download. Click here for more information and to download the eBook.

Steve Miller

About Steve Miller

Steve Miller (@stvemillertime) is a researcher of adversary tradecraft, obsessed with finding human fingerprints in digital artifacts. Rather than the “Who, What, or Why” of a breach, he focuses on the “How” – the TTPs or modi operandi of threat actors. Steve loves to operate at the intersection of incident response, threat intelligence, and detection engineering.

When he is not finding evil, smashing malware, or writing creative detection rules, he can probably be heard making loud noises with modular synthesizers, drum machines and other music gear in his underground beat laboratory.

Steve is an alumnus analyst of Champlain College, Mandiant, the U.S. Department of Homeland Security, U.S. Department of State, U.S. Army Intelligence and Security Command (INSCOM), and the National Security Agency. He joined cybersecurity company Stairwell Inc. in August 2021.