ExtraHop named a Leader in the 2025 Forrester Wave™: Network Analysis And Visibility Solutions

Search
Get a Demo
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Cobalt Strike DNS Beaconing

Risk Factors

Cobalt Strike DNS beaconing is associated with a persistent, planned attack rather than a random, opportunistic attack. This type of beaconing requires an attacker to set up a sophisticated command-and-control (C&C) infrastructure. Through a persistent connection, an attacker can remotely control a device and gain an entry point for further attacks on your network.

Category

Command-and-Control
Detection diagram
Next in Command-and-Control: Command-and-Control Beaconing

Attack Background

Cobalt Strike is an attack toolkit that is often associated with malicious activity. The Cobalt Strike DNS Beacon tool within this toolkit establishes C&C communication from a victim device over DNS on standard port 53, which helps the attacker bypass firewalls and evade detection. The first step in setting up DNS Beacon is to create a C&C server that acts as an authoritative name server for a certain domain. Next, the attacker installs the DNS Beacon agent on the victim. The agent sends a beacon through a DNS query for the domain and the query is routed to the C&C server by the DNS server (1). The C&C server then sends the victim a DNS response (2) that tells the Beacon agent to be idle or to wake up and receive instructions over another established C&C channel.

Mitigation Options

Quarantine the device while checking for the presence of malware

Monitor and investigate unusual network activity for lateral movement or data exfiltration

MITRE ATT&CK ID

Associated content

Announcing The Forrester Wave™: Network Analysis And Visibility Solutions, Q4 2025

Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.

Report
Learn moreArrow pointing right

ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response — ExtraHop

ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response

News
Learn moreArrow pointing right

Detections

Visit this resource for more information.

Docs
Learn moreArrow pointing right

The 2025 ExtraHop Global Threat Landscape Report: The Alarming Reality of Threat Actor Dwell Time and Deeper Network Access — ExtraHop

This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.

Blog
Learn moreArrow pointing right

ExtraHop RevealX MITRE ATT&CK Coverage 2024 — ExtraHop

Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.

Blog
Learn moreArrow pointing right

MITRE ATT&CK - Network Detection & Response with RevealX — ExtraHop

Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.

External
Learn moreArrow pointing right
Periodic Table of Use Cases

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right