Range Scenario · crucible · 35 min
Hunt the Beacon: Detect Cobalt Strike in Network Telemetry
This cybersecurity training scenario simulates a working incident. Network telemetry shows a periodic outbound HTTPS connection from a developer workstation. Pattern, jitter, and JA3 fingerprint suggest a commodity command-and-control framework. Hunt the beacon, identify the family, recommend the next move.
Scenario briefing
You run threat hunting for a 4,000-employee software company. Your weekly hunt query for periodic outbound HTTPS just surfaced a developer workstation with a connection cadence of every sixty seconds plus or minus six seconds (a 10 percent jitter window).
The destination is a CDN-fronted domain with a recently-issued Let's Encrypt certificate. JA3 fingerprint matches a known commodity offensive tooling pattern. Bytes per call are small (under 8 KB up, under 32 KB down).
This scenario tests whether you can read the indicators, name the technique class, and pick the right pivot. You will not need to interact with a live SIEM; the artifacts are inline.
What you will practice
- Recognize beacon traffic by interval, jitter, and byte-count fingerprint
- Map the activity to MITRE ATT&CK C2 techniques
- Use JA3 fingerprinting as a hunting pivot
- Pick a hunt-to-IR handoff path that preserves evidence
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Intermediate) and your final score percentage.
Frequently asked questions
What makes a beacon detectable in network telemetry?
Beacon traffic shows periodicity (regular call-home interval), jitter (a small random variance to evade naive detection), and a tight byte-count distribution. Sleep-skew analysis, JA3 fingerprinting, and rare-domain scoring against asset history surface the pattern even when payloads are encrypted.
Why JA3 instead of payload inspection?
JA3 fingerprints the TLS Client Hello, so it works on encrypted traffic without decrypting. Many commodity offensive frameworks ship with default TLS profiles that produce stable JA3 hashes, making fingerprint-based hunting effective even when the C2 channel is HTTPS over a CDN.
Can attackers defeat JA3 fingerprinting?
Yes. Mature operators randomize TLS profiles, vary cipher suites, and proxy through legitimate SaaS to break stable JA3 hashes. Defenders combine JA3 with timing analysis, destination rarity scoring, and process-to-network correlation so a single evasion does not bypass the full detection.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.