I’ve learned recently that the Cobalt Strike “Beacon” product has been subverted by malicious actors. The Beacon product is a fairly powerful tool useful for red-teaming, and the SecurityNow! podcast (episode #837) has a decent summary of how it’s gone sideways. Here’s another good article:
Anyhow, if the beacon is installed (by either a red-team or by malicious actors), it calls out via HTTPS to C2 servers by IP address (not hostname). These C2 servers might be set up for specific targets, so it’s not clear if such traffic would be caught by ZIA’s C2 ATP policies.
I’m curious about whether anyone has played with this, or tested blocking these Beacons, and what successful policies might be.