Cobalt Strike Beacon: What it is, how it’s used, and how to detect and contain

Cobalt Strike Beacon

What it is

Cobalt Strike Beacon is a powerful remote-control implant used after a break-in. It was built for red-team testing, but criminals use it too. Once running, Beacon “checks in” to a command server, lets attackers run commands, move sideways, and pull data. See examples in our 
Cobalt Strike overview

What you may notice

  • Repeating, short network “check-ins” to odd domains/IPs (often over HTTPS or DNS)

  • Legit tools (PowerShell, PsExec) launched in strange ways

  • New services/scheduled tasks; security tools disabled or excluded

How it gets in

  • Phishing documents and fake installers

  • Exploited VPN/RDP or unpatched public apps

  • Stolen admin credentials from earlier malware

If you suspect Beacon (quick response)

  1. Isolate the host from the network—don’t just kill the process.

  2. Collect evidence first (memory, logs), then remove persistence (tasks/services).

  3. Reset credentials from a clean admin box; rotate keys/tokens.

  4. Hunt laterally—assume more than one foothold.

  5. Engage your IR team; block C2 domains/IPs at the firewall/DNS.

Prevent it

  • Patch internet-facing systems; lock down or remove unused remote access.

  • Enforce MFA, least privilege, and admin “jump” workstations.

  • Monitor for beaconing patterns and unusual admin tool usage.

  • Use EDR with script logging (PowerShell, AMSI) and DNS filtering.

  • Train staff to spot phishing; test restores from offline backups.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Remote Access Trojan (RAT)

        What it is A Remote Access Trojan is malware that pretends to be legit software but secretly installs a back door. Once running, it gives an outsider admin-level control of the device: they can browse files, capture screens and keystrokes, turn on ...

      • NDR (Network Detection And Response)

        What it is Network Detection and Response (NDR) watches live network traffic to spot and investigate suspicious behavior in real time. Instead of relying on signatures, it analyzes patterns and anomalies to catch threats moving across your ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • Command and Control (C2) Server

        What it is A Command and Control (C2) server is the headquarters for malware. Once devices are infected, they “phone home” to this server for orders—attack a target, download more malware, steal data, or even self-destruct. Overview: C2 servers ...

      • XDR (Extended Detection and Response)

        What it is XDR is a security system that watches your company’s devices, email, cloud, and network together and connects the dots. Instead of separate tools, XDR pulls all the signals into one place, spots attacks faster, and can auto-block bad ...