Writing Effective YARA Rules for Cobalt Strike Beacon Detection

Sat, 28 Mar 2026 00:00:00 +0000

Cobalt Strike remains one of the most prevalent post-exploitation frameworks used by both red teams and threat actors. Detecting its beacons through YARA rules is a fundamental skill for any SOC analyst or threat hunter.

Understanding beacon artifacts

Cobalt Strike beacons leave identifiable patterns in both their staged and stageless payloads. The key areas to target are:

Configuration blocks — the beacon stores its config in a predictable structure
Sleep mask routines — the obfuscation applied during sleep cycles
Named pipe patterns — default pipe names are a common indicator

A basic detection rule

rule CobaltStrike_Beacon_Config
{
 meta:
 description = "Detects Cobalt Strike beacon configuration block"
 author = "SOC Team"
 date = "2026-03"
 severity = "high"

 strings:
 $config_header = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 ?? ?? }
 $default_pipe = "\\\\.\\pipe\\msagent_" ascii wide
 $watermark = { 00 09 00 02 00 04 }

 condition:
 uint16(0) == 0x5A4D and
 filesize < 1MB and
 ($config_header or $default_pipe) and
 $watermark
}

Hunting in memory

For in-memory detection, you’ll want rules that match against the decrypted beacon configuration. Use a tool like pe-sieve or BeaconEye to dump process memory first, then scan:

Threat-Hunting on Clean Tech

Writing Effective YARA Rules for Cobalt Strike Beacon Detection

Understanding beacon artifacts

A basic detection rule

Hunting in memory