Windows Default Cobalt Strike PowerShell Beacon

name: Windows Default Cobalt Strike PowerShell Beacon
id: 25b6329b-d6b7-4ccd-9ac2-6ca1dfd2b0c1
version: 2
creation_date: '2026-05-05'
modification_date: '2026-05-13'
author: Raven Tait, Splunk
status: production
type: TTP
description: |-
    Detects default function and variable names known to be used by the Cobalt Strike PowerShell beacon.
    This beacon is used to gain command and control on a victim.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell`
    EventID="4104"
    ScriptBlockText IN (
        "*func_get_proc_address*",
        "*$var_unsafe_native_methods*",
        "*$var_gpa.Invoke*",
        "*func_get_delegate_type*",
        "*$var_type_builder*"
    )
    | fillnull
    | stats count min(_time) as firstTime
                  max(_time) as lastTime
    
    by Computer EventID ScriptBlockText dest signature signature_id
       user_id vendor_product Guid Opcode Name
       Path ProcessID ScriptBlockId
    
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_default_cobalt_strike_powershell_beacon_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: |-
    False positives are very unlikely as this detection targets default Cobalt Strike PowerShell beacon functions and variables. Modifications to the beacon's script may bypass detection but do not create false positives.
drilldown_searches:
    - earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
      name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: Default Cobalt Strike PowerShell beacon activity observed on $dest$ via script block $ScriptBlockId$.
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - Cobalt Strike
asset_type: Endpoint
mitre_attack_id:
    - T1059.001
    - T1204.002
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/snapattack/snapattack.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog
      test_type: unit