Hunt the Beacon: Detect Cobalt Strike in Network Telemetry

Threat Hunting · 6 steps

Briefing

You run threat hunting for a 4,000-employee software company. Your weekly hunt query for periodic outbound HTTPS just surfaced a developer workstation with a connection cadence of every sixty seconds plus or minus six seconds (a 10 percent jitter window).

The destination is a CDN-fronted domain with a recently-issued Let's Encrypt certificate. JA3 fingerprint matches a known commodity offensive tooling pattern. Bytes per call are small (under 8 KB up, under 32 KB down).

This scenario tests whether you can read the indicators, name the technique class, and pick the right pivot. You will not need to interact with a live SIEM; the artifacts are inline.

How Crucible mode works

One ordered pass through every step. No clock. Each answer scores against the canonical solution.

Hints reduce the points you can earn for that step. Free-text steps queue for manual review.

What you will practice

01Recognize beacon traffic by interval, jitter, and byte-count fingerprint
02Map the activity to MITRE ATT&CK C2 techniques
03Use JA3 fingerprinting as a hunting pivot
04Pick a hunt-to-IR handoff path that preserves evidence

Back to Range