What You Will Achieve
By the end of this playbook you will have:
- 3 production-ready YARA rules covering the most prevalent C2 frameworks (Cobalt Strike, Sliver, Metasploit)
- A testing methodology to validate rules against known samples
- An integration guide to deploy rules into Splunk, Elastic, or any SIEM that supports YARA
- A workflow to enrich detections with isMalicious threat intelligence
Prerequisites
Before starting, make sure you have:
- YARA installed (v4.x recommended) — Installation guide
- Access to a SIEM (Splunk, Elastic, Wazuh, or similar)
- An isMalicious API key — Get one free
- Sample C2 payloads for testing (we'll use public samples from MalwareBazaar)
bash
# Verify YARA is installed
yara --version
# Expected: 4.x.x
# Install if needed (macOS)
brew install yara
# Install if needed (Ubuntu/Debian)
sudo apt-get install yara
Step 1: Understanding C2 Beacon Patterns
C2 beacons follow predictable patterns that make them detectable:
- Periodic callbacks — regular intervals (e.g., every 60 seconds)
- Encoded payloads — Base64, XOR, or custom encoding in HTTP headers or body
- Distinctive User-Agent strings — default or semi-random strings that stand out
- Specific URI patterns — paths like
/submit.php,/pixel.gif, or/updates
The key insight: while C2 operators customize their implants, the binary artifacts and network signatures retain structural patterns that YARA can match.
Step 2: Cobalt Strike Beacon Detection
Cobalt Strike is the most widely abused commercial C2 framework. Its beacon has well-documented artifacts.
YARA Rule: Cobalt Strike Beacon
yara
rule CobaltStrike_Beacon_Indicators
{
meta:
description = "Detects Cobalt Strike beacon payloads"
author = "isMalicious Threat Research"
date = "2026-02"
reference = "https://ismalicious.com/playbooks/detecting-c2-beacons-yara"
severity = "critical"
strings:
$beacon_config = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 ?? ?? }
$sleep_mask = "ReflectiveLoader"
$named_pipe = "\\\\.\\pipe\\msagent_"
$default_ua = "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
$malleable_marker = { 2E 2F 2E 2F 2E 2C }
$xor_decode = { 31 C9 83 E9 ?? 8D [2-4] 31 }
condition:
uint16(0) == 0x5A4D and
filesize < 1MB and
(
$beacon_config or
($sleep_mask and $named_pipe) or
($default_ua and $xor_decode) or
($malleable_marker and any of ($sleep_mask, $named_pipe))
)
}
What This Catches
| Pattern | Why It Works |
|---|---|
| $beacon_config | Matches the binary configuration block embedded in every beacon |
| $sleep_mask | The reflective loader string present in default builds |
| $named_pipe | Default named pipe prefix for SMB beacons |
| $default_ua | The hardcoded User-Agent in unmodified beacons |
Step 3: Sliver C2 Detection
Sliver is an open-source alternative gaining popularity. Its Go-based implants have distinct characteristics.
YARA Rule: Sliver Implant
yara
rule Sliver_Implant_Detection
{
meta:
description = "Detects Sliver C2 implant artifacts"
author = "isMalicious Threat Research"
date = "2026-02"
reference = "https://ismalicious.com/playbooks/detecting-c2-beacons-yara"
severity = "high"
strings:
$go_build = "go.buildid"
$sliver_pkg1 = "github.com/bishopfox/sliver"
$sliver_pkg2 = "sliverpb"
$protobuf_msg = "SliverHTTPC2" ascii wide
$mtls_pattern = "StartMTLSListener"
$wg_pattern = "StartWGListener"
$pivot_str = "PivotListener"
condition:
uint16(0) == 0x5A4D and
$go_build and
(
any of ($sliver_pkg*) or
($protobuf_msg) or
2 of ($mtls_pattern, $wg_pattern, $pivot_str)
)
}
Step 4: Metasploit Meterpreter Detection
Meterpreter payloads, while older, remain extremely common in both red team operations and real attacks.
YARA Rule: Meterpreter Stager
yara
rule Metasploit_Meterpreter_Stager
{
meta:
description = "Detects Metasploit Meterpreter stager payloads"
author = "isMalicious Threat Research"
date = "2026-02"
reference = "https://ismalicious.com/playbooks/detecting-c2-beacons-yara"
severity = "high"
strings:
$api_hash_ror13 = { 60 89 E5 31 D2 64 8B 52 30 }
$reverse_tcp = { 68 ?? ?? ?? ?? 68 02 00 ?? ?? 89 E6 }
$ws2_32 = "ws2_32" ascii nocase
$metsrv_dll = "metsrv.dll" ascii
$ext_server = "ext_server_" ascii
$stage_pattern = { FC E8 82 00 00 00 60 89 E5 }
condition:
filesize < 500KB and
(
($api_hash_ror13 and $reverse_tcp) or
($ws2_32 and $metsrv_dll) or
($stage_pattern and any of ($ws2_32, $ext_server)) or
($metsrv_dll and $ext_server)
)
}
Step 5: Testing Your Rules
Never deploy untested rules. Here's how to validate them.
Download Test Samples
bash
# Download known Cobalt Strike sample from MalwareBazaar (SHA256 hash)
curl -o cs_sample.zip \
"https://mb-api.abuse.ch/api/v1/" \
-d "query=get_file&sha256_hash=YOUR_SAMPLE_HASH"
# Unzip (password: infected)
unzip -P infected cs_sample.zip
Run YARA Against Samples
bash
# Test a single rule against a sample
yara -s cobalt_strike.yar ./samples/
# Test all rules in a directory
yara -r ./rules/ ./samples/
# Output matching strings for debugging
yara -s -p 4 ./rules/c2_detection.yar ./samples/
Validate False Positive Rate
bash
# Run against a clean software directory to check for false positives
yara -r ./rules/c2_detection.yar /usr/bin/
yara -r ./rules/c2_detection.yar "C:\\Windows\\System32\\"
# If any matches appear on clean files, tighten your conditions
Step 6: SIEM Integration
Splunk (with YARA TA)
ini
# inputs.conf — configure YARA scanning
[monitor:///var/log/yara_alerts]
sourcetype = yara:alert
index = threat_intel
# savedsearch.conf — alert on C2 detections
[C2 Beacon Detected]
search = index=threat_intel sourcetype=yara:alert rule_name IN ("CobaltStrike_Beacon*", "Sliver_Implant*", "Metasploit_Meterpreter*")
alert.severity = 5
action.email = 1
Elastic (with YARA module)
yaml
# filebeat.yml — ingest YARA alerts
filebeat.inputs:
- type: log
paths:
- /var/log/yara/*.json
json.keys_under_root: true
json.add_error_key: true
fields:
event.category: malware
event.kind: alert
Wazuh
xml
<!-- local_rules.xml — custom YARA detection rule -->
<group name="yara,">
<rule id="108000" level="12">
<decoded_as>json</decoded_as>
<field name="rule_name">CobaltStrike|Sliver|Metasploit</field>
<description>C2 beacon detected by YARA: $(rule_name)</description>
<group>malware,c2,</group>
</rule>
</group>
Step 7: Enrich Detections with isMalicious
When your YARA rules fire, enrich the alert with threat intelligence to prioritize response.
python
import base64
import requests
API_KEY = "your_api_key_here"
API_SECRET = "your_api_secret_here"
BASE_URL = "https://api.ismalicious.com"
HDR = {"X-API-KEY": base64.b64encode(f"{API_KEY}:{API_SECRET}".encode()).decode()}
def enrich_c2_indicator(indicator: str) -> dict:
"""Check a domain or IP flagged by YARA against isMalicious."""
response = requests.get(
f"{BASE_URL}/check",
params={"query": indicator},
headers=HDR,
)
data = response.json()
return {
"indicator": indicator,
"malicious": data.get("malicious", False),
"risk_score": data.get("riskScore", {}).get("score"),
"threat_categories": data.get("classification", {}).get("primary"),
"sources_count": len(data.get("sources", [])),
"mitre_techniques": [
t["id"] for t in data.get("mitre", {}).get("techniques", [])
],
}
# Example: enrich a C2 domain found during investigation
result = enrich_c2_indicator("suspicious-c2-domain.example.com")
print(result)
json
{
"indicator": "suspicious-c2-domain.example.com",
"malicious": true,
"risk_score": 92,
"threat_categories": "c2",
"sources_count": 7,
"mitre_techniques": ["T1071.001", "T1573.002"]
}
Verification Checklist
Before considering this playbook complete, verify:
- [ ] All 3 YARA rules compile without errors (
yara -C rule.yar) - [ ] Rules detect known C2 samples (at least 1 true positive each)
- [ ] Rules produce zero false positives against clean system binaries
- [ ] SIEM integration is receiving and indexing YARA alerts
- [ ] Enrichment script returns valid threat intelligence data
- [ ] Alert escalation workflow is documented for your SOC team
Next Steps
- Tune beacon intervals — Add network-level detection for periodic callback patterns
- Expand coverage — Write rules for Brute Ratel, Havoc, and Mythic C2 frameworks
- Automate enrichment — Use the isMalicious Bulk API to check all extracted IOCs at once
- Share with the community — Submit your rules to the YARA-Rules repository