Hunting off the Red Banner

APT24's Evolution:
From Watering Holes to Multi-Vector BADAUDIO Campaign


A three-year cyber espionage campaign demonstrates how sophisticated threat actors adapt their tradecraft when initial methods lose effectiveness. APT24, a People's Republic of China-aligned threat group, systematically evolved from broad strategic web compromises to highly targeted supply chain attacks and precision phishing campaigns, all designed to deploy BADAUDIO. This heavily obfuscated first-stage downloader establishes persistent network access.


Consider a burglar who initially tries every door on the street but gradually learns which houses have the most valuable contents and the weakest security. APT24's evolution mirrors this calculated refinement; what began as opportunistic watering-hole attacks affecting over 20 websites has evolved into the repeated compromise of a single digital marketing firm serving more than 1,000 client websites. This shift represents a fundamental change in adversary strategy: trading breadth for depth, visibility for stealth, and random targeting for surgical precision.


Organizations face significant exposure from this adaptive threat, particularly those in Taiwan and sectors of strategic interest to PRC intelligence priorities. The financial impact extends beyond immediate incident response costs to include potential intellectual property theft, competitive disadvantage from stolen strategic plans, regulatory scrutiny following data breaches, and reputational damage from serving as an unwitting distribution point for malware. The supply chain compromise vector is particularly concerning because it weaponizes trust relationships; clients downloading files from their marketing vendor expect safety, making detection extraordinarily challenging. APT24's demonstrated persistence through multiple recompromises of the same target suggests determination to maintain access regardless of defensive efforts, indicating that affected organizations should anticipate sustained targeting requiring continuous vigilance rather than one-time remediation.


Hunting Controls & Observations

Defensive teams should pivot from endpoint-centric detection to multi-layered behavioral analysis that spans web traffic, identity, and application telemetry:

  • Endpoint (EDR/AV): Monitor for DLL sideloading patterns where legitimate executables in unusual directories load unsigned or recently created DLL files, particularly when accompanied by VBS, BAT, or LNK files that automate persistence mechanisms.
  • Identity/IAM: Track for anomalous account behaviors following website visits or email interactions, especially authentication attempts from new geographic locations or devices shortly after user engagement with potentially compromised web properties.
  • Email Security & Proxy Logs: Examine email attachments referencing cloud storage platforms like Google Drive and OneDrive that contain encrypted archives, and correlate these with embedded pixel tracking links that confirm email opens and validate target engagement.
  • Firewall / NetFlow: Identify outbound connections to Cloudflare Workers domains or newly registered infrastructure immediately following browser-based reconnaissance activities, particularly connections transmitting Base64-encoded data in HTTP cookie headers.
  • Cloud Audit Logs: Review for unauthorized file sharing from corporate cloud storage accounts that may indicate compromised credentials being used to distribute malicious archives to external recipients.
  • Operating System Logs: Detect process creation events (Windows Event ID 4688) showing legitimate executables launching from user profile directories rather than standard program locations, especially when parent processes are scripting engines or Windows utilities.
  • Web Application Logs: Analyze for JavaScript injection patterns in third-party marketing or analytics scripts, particularly modifications that load FingerprintJS libraries or initiate secondary script downloads from external domains.

Behavioral Indicators of Attack

Behavioral indicators of the BADAUDIO campaign reveal sophisticated operational security designed to evade traditional signature-based detection:

  • Legitimate executables appearing in non-standard directories like user profile folders, accompanied by similarly named DLL files that suggest deliberate search order hijacking attempts.
  • Browser fingerprinting activities that exclude macOS, iOS, Android, and Microsoft browser variants, indicating selective targeting focused exclusively on Windows environments likely to harbor high-value intelligence.
  • HTTP requests containing encrypted system information embedded in cookie parameters, providing covert beaconing mechanisms that blend with legitimate web traffic patterns.
  • Dynamic loading of external JavaScript libraries from public CDNs immediately before suspicious network connections, suggesting multi-stage payload delivery triggered by victim profiling.
  • Registry modifications establishing persistence through legitimate executable startup entries, allowing malware to survive system reboots without obvious malicious indicators.
  • Process injection into memory spaces following AES decryption of network-delivered payloads, avoiding file-based artifacts that traditional antivirus products detect.
  • Repeated modifications to the same third-party JavaScript files hosted by marketing vendors, indicating persistent adversary access to supply chain infrastructure despite remediation efforts.

MITRE Enterprise ATT&CK Tactics and Techniques

The BADAUDIO campaign methodology aligns with multiple tactics across the MITRE ATT&CK Enterprise Matrix, demonstrating sophisticated tradecraft spanning initial compromise through command and control:

  • Initial Access (T1189 – Drive-by Compromise): Adversaries compromised legitimate websites to deliver malware to visitors through strategic web compromises, targeting users based on browser fingerprinting and environmental profiling.
  • Initial Access (T1566 – Phishing): Campaigns leveraged social engineering emails purporting to originate from trusted sources like animal rescue organizations, with attachments hosted on legitimate cloud storage platforms to enhance credibility.
  • Execution (T1059.007 – JavaScript): Malicious JavaScript injected into compromised websites dynamically loaded dependencies and executed multi-stage infection chains triggered by victim profiling logic.
  • Persistence (T1547.001 – Registry Run Keys / Startup Folder): BADAUDIO established persistence by creating registry entries for legitimate executables in user startup locations, ensuring malware execution following system reboots.
  • Defense Evasion (T1574.001 – DLL Search Order Hijacking): The malware exploited Windows DLL search mechanisms by placing malicious libraries alongside legitimate executables, causing trusted programs to load adversary code.
  • Defense Evasion (T1027 – Obfuscated Files or Information): Control flow flattening and multi-layer obfuscation techniques systematically dismantled the program's natural logic, significantly impeding reverse engineering efforts.
  • Discovery (T1082 – System Information Discovery): BADAUDIO collected hostname, username, and system architecture details to profile compromised systems and enable adversary decision-making about subsequent exploitation.
  • Command and Control (T1071.001 – Web Protocols): The malware communicated with Cloudflare Workers infrastructure using standard HTTP requests containing encrypted system information in cookie headers, blending with normal web traffic.
  • Command and Control (T1573 – Encrypted Channel): All payloads and command traffic utilized AES encryption with hard-coded keys, preventing network-based content inspection from revealing malicious communications.
  • Exfiltration (T1041 – Exfiltration Over C2 Channel): Reconnaissance data including browser fingerprints and environmental details was transmitted via Base64-encoded POST requests to attacker infrastructure for victim profiling.

Controls' Observables

Organizations can observe APT24's BADAUDIO tactics across multiple security architecture layers, from endpoint telemetry through cloud infrastructure monitoring. The following breakdown identifies specific log sources and visibility requirements necessary for effective threat hunting:

Endpoint Controls

  • EDR platforms should capture process creation events showing legitimate executables launching from unusual directories, particularly user profile paths where DLL sideloading frequently occurs.
  • File integrity monitoring should detect newly created DLL files appearing alongside legitimate executables, especially when file creation timestamps cluster with VBS, BAT, or LNK files.
  • Registry auditing should track modifications to Run keys and Startup folders where persistence mechanisms establish automatic malware execution following system reboots.
  • PowerShell and script execution logging should capture automation activities that place BADAUDIO components and configure persistence, revealing the attack's installation chain.
  • Memory scanning capabilities should identify process injection activities and in-memory payload execution that avoid file-based artifacts detectable by traditional antivirus.

Network Controls

  • Web proxy logs should reveal connections to Cloudflare Workers domains and typosquatting infrastructure immediately following website visits, indicating post-compromise callback attempts.
  • DNS query logs should capture requests for newly registered domains or suspicious subdomains that serve as BADAUDIO command and control infrastructure.
  • SSL/TLS inspection should examine encrypted traffic for Base64-encoded data in HTTP headers and cookie parameters that conceal system reconnaissance information.
  • NetFlow data should identify unusual external connections originating from user workstations to uncommon geographic regions or autonomous systems not typical for business operations.
  • Firewall logs should track outbound connections to newly registered domains or Cloudflare Workers subdomains that APT24 frequently rotates to evade blocklists.

Identity & Access Controls

  • Windows Security Event ID 4688 should reveal process creation for legitimate executables in non-standard locations, particularly when parent processes are scripting engines or Windows utilities.
  • Windows Security Event ID 4624 should show logon events from new devices or geographic locations shortly after users interact with potentially compromised websites or emails.
  • Windows Security Event ID 4657 should detect registry modifications to persistence locations, revealing automated configuration of startup entries for malicious purposes.
  • Active Directory audit logs should track authentication patterns that suggest credential misuse following initial compromise, particularly privilege escalation attempts or lateral movement.
  • Identity provider logs should reveal unusual access patterns to cloud storage accounts that may indicate compromised credentials distributing malicious files to external recipients.

Cloud & SaaS

  • Google Drive and OneDrive audit logs should track file sharing activities where encrypted archives are distributed to external recipients, potentially weaponizing trusted cloud platforms.
  • Email security logs should identify messages containing pixel tracking links and cloud storage attachments that combine social engineering with delivery infrastructure.
  • Cloud provider activity logs should detect unauthorized modifications to web applications or content management systems that enable JavaScript injection attacks.
  • Content delivery network logs should reveal unexpected modifications to JavaScript libraries or the introduction of typosquatting domains serving malicious scripts.

Application & Service Logs

  • Web server access logs should capture JavaScript injection patterns in third-party marketing scripts, particularly modifications loading FingerprintJS libraries or initiating secondary downloads.
  • Content management system audit logs should reveal unauthorized changes to website code, especially injection of external script references into headers or footers.
  • Marketing platform logs should detect modifications to widely used JavaScript libraries that supply chain attacks leverage to impact thousands of downstream websites simultaneously.
  • Application performance monitoring should identify unexpected changes to JavaScript file sizes or content hashes that indicate adversary modifications to legitimate vendor scripts.

Insights and Recommendation

Organizations that fail to address APT24's multi-vector approach face protracted network compromise, intellectual property exfiltration, and potential regulatory consequences from data breaches. The supply chain compromise vector is particularly concerning because it weaponizes trust relationships between vendors and clients, making detection extraordinarily difficult and enabling adversary persistence through repeated recompromises despite remediation efforts. Taiwan-based organizations and sectors aligned with PRC strategic intelligence priorities face heightened risk given APT24's demonstrated targeting patterns.


Security teams should implement multi-layered behavioral detection that spans endpoint, network, and identity telemetry rather than relying on signature-based approaches easily evaded through obfuscation. Priority actions include establishing baseline monitoring for DLL sideloading patterns, implementing content integrity verification for third-party JavaScript dependencies, and correlating web traffic with subsequent authentication anomalies that suggest post-compromise activity. Organizations heavily dependent on third-party marketing or analytics platforms should conduct vendor security assessments focusing on code integrity protections and incident response capabilities, given APT24's demonstrated ability to maintain persistent access to supply chain infrastructure.


Source and Credits

This summary is based on public information provided from Google Threat Intelligence Group's research article "Beyond the Watering Hole: APT24's Pivot to Multi-Vector Attacks" published in 2025. The analysis includes threat hunting guidance developed from the technical indicators and tactics described in the original research.


Threat Hunting IOCs & Queries

This section contains known Indicators of Compromise (IOCs) along with Microsoft Log Analytics (KQL) and Splunk queries associated with the APT24 BADAUDIO campaign. These detection mechanisms translate the behavioral indicators into actionable threat hunting logic, though analysts should validate queries in their specific environments and tune thresholds based on baseline activity patterns.


Known Indicators of Compromise

The following IOCs have been identified from the intelligence to be used for threat hunting:

  • File Hashes (SHA256):
    9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182
    d23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8
    cfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd
    f086c65954f911e70261c729be2cdfa2a86e39c939edee23983090198f06503c
    f1e9d57e0433e074c47ee09c5697f93fde7ff50df27317c657f399feac63373a
    176407b1e885496e62e1e761bbbb1686e8c805410e7aec4ee03c95a0c4e9876f
    c7565ed061e5e8b2f8aca67d93b994a74465e6b9b01936ecbf64c09ac6ee38b9
    83fb652af10df4574fa536700fa00ed567637b66f189d0bbdb911bd2634b4f0e
  • Domains:
    www.availableextens[.]com
    www.twisinbeth[.]com
    www.decathlonm[.]com
    www.gerikinage[.]com
    www.p9-car[.]com
    www.growhth[.]com
    www.brighyt[.]com
    taiwantradoshows[.]com
    jsdelivrs[.]com
    www.cundis[.]com
    tradostw[.]com
    jarzoda[.]net
    trcloudflare[.]com
  • Cloudflare Workers Subdomains:
    clients.brendns.workers[.]dev
    wispy.geneva.workers[.]dev
    roller.johallow.workers[.]dev
  • Cobalt Strike Beacon Watermark:
    BeudtKgqnlm0Ruvf+VYxuw==

Log Analytics and Splunk Queries

The following queries translate behavioral indicators into actionable detection logic created with AI assistance. Analysts should validate these queries in their environments and adjust thresholds based on baseline activity. These queries may contain errors or require environment-specific tuning to reduce false positives while maintaining detection efficacy.

Query 1: DLL Sideloading from User Directories

  • Behavior Targeted: Legitimate executables launching from unusual directories with suspicious DLL files
  • MITRE ATT&CK: T1574.001 (DLL Search Order Hijacking)
  • Expected Results: Process creation events where legitimate signed executables run from user profile directories and load unsigned or recently created DLL files
  • False Positive Likelihood: Medium – Some legitimate portable applications operate from user directories, requiring baseline analysis

Splunk (SPL)


// Hunt for DLL sideloading patterns in user directories
// Tune: Adjust time range and add known legitimate portable apps to exclusions
index=endpoint sourcetype="WinEventLog:Security" EventCode=4688
| rex field=New_Process_Name "(?i)(?C:\\\\Users\\\\[^\\\\]+\\\\(AppData|Desktop|Downloads|Documents))"
| where isnotnull(user_dir)
| rex field=New_Process_Name "(?[^\\\\]+)$"
| eval is_system_binary=if(match(process_name, "(?i)(rundll32|regsvr32|svchost|dllhost)\.exe"), 1, 0)
| where is_system_binary=1
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, New_Process_Name, Creator_Process_Name, Account_Name
| convert ctime(firstTime) ctime(lastTime)
| where count < 5
| table Computer, Account_Name, New_Process_Name, Creator_Process_Name, count, firstTime, lastTime

Microsoft Defender/Sentinel (KQL)


// Hunt for DLL sideloading patterns in user directories
// Data Tables: DeviceProcessEvents, DeviceFileEvents
// Tune: Adjust lookback period and add organizational exceptions
let timeframe = 7d;
let user_dirs = dynamic([@"\Users\", @"\AppData\", @"\Desktop\", @"\Downloads\", @"\Documents\"]);
DeviceProcessEvents
| where Timestamp > ago(timeframe)
| where FolderPath has_any (user_dirs)
| where ProcessCommandLine has_any ("rundll32", "regsvr32", "svchost", "dllhost")
| extend ProcessName = tostring(split(FolderPath, @"\")[-1])
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(timeframe)
    | where FileName endswith ".dll"
    | where FolderPath has_any (user_dirs)
    | where ActionType == "FileCreated"
    | where Timestamp > ago(1h)
) on DeviceName
| summarize ProcessCount=count(), 
            FirstSeen=min(Timestamp), 
            LastSeen=max(Timestamp),
            DLLFiles=make_set(FileName)
    by DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| where ProcessCount <= 5
| project DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, DLLFiles, ProcessCount, FirstSeen, LastSeen

Query 2: Suspicious Cloudflare Workers Communication

  • Behavior Targeted: Outbound connections to Cloudflare Workers subdomains with encoded data in HTTP headers
  • MITRE ATT&CK: T1071.001 (Web Protocols)
  • Expected Results: Network connections to workers.dev domains containing Base64-encoded cookie values or suspicious user agents
  • False Positive Likelihood: Low – Legitimate use of Cloudflare Workers is uncommon in most enterprise environments

Splunk (SPL)


// Detect suspicious connections to Cloudflare Workers infrastructure
// Tune: Add legitimate workers.dev domains used by organization to exclusions
index=proxy OR index=firewall
| where (dest_domain="*.workers.dev" OR url="*workers.dev*")
| rex field=cookie "(?[A-Za-z0-9+/]{20,}={0,2})"
| where isnotnull(encoded_cookie)
| eval cookie_length = len(encoded_cookie)
| where cookie_length > 50
| stats count min(_time) as firstTime max(_time) as lastTime values(url) as urls values(src_ip) as source_ips by dest_domain, user
| convert ctime(firstTime) ctime(lastTime)
| where count < 10
| table dest_domain, user, source_ips, urls, count, firstTime, lastTime

Microsoft Defender/Sentinel (KQL)


// Detect suspicious connections to Cloudflare Workers infrastructure
// Data Tables: DeviceNetworkEvents, DeviceEvents
// Tune: Add organizational legitimate workers.dev usage to exclusion list
let timeframe = 7d;
let suspicious_workers = dynamic(["brendns.workers.dev", "geneva.workers.dev", "johallow.workers.dev"]);
DeviceNetworkEvents
| where Timestamp > ago(timeframe)
| where RemoteUrl has "workers.dev" or RemoteUrl has_any (suspicious_workers)
| extend Domain = tostring(parse_url(RemoteUrl).Host)
| extend EncodedData = extract(@"[A-Za-z0-9+/]{30,}={0,2}", 0, AdditionalFields)
| where isnotnull(EncodedData)
| summarize ConnectionCount=count(),
            FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp),
            URLs=make_set(RemoteUrl, 10),
            LocalIPs=make_set(LocalIP)
    by DeviceName, InitiatingProcessFileName, Domain, RemoteIP
| where ConnectionCount <= 10
| project DeviceName, InitiatingProcessFileName, Domain, RemoteIP, URLs, ConnectionCount, FirstSeen, LastSeen

Query 3: JavaScript Fingerprinting Library Loading

  • Behavior Targeted: Dynamic loading of FingerprintJS libraries followed by suspicious external script requests
  • MITRE ATT&CK: T1059.007 (JavaScript)
  • Expected Results: Web proxy logs showing FingerprintJS downloads followed by connections to typosquatting or newly registered domains
  • False Positive Likelihood: Medium – Some legitimate websites use fingerprinting for fraud prevention, requiring correlation with subsequent suspicious activity

Splunk (SPL)


// Detect fingerprinting library loading followed by suspicious connections
// Tune: Adjust time window between fingerprinting and suspicious connection based on your environment
index=proxy
| eval fingerprint_event = if(match(url, "(?i)fingerprintjs|fingerprint2"), 1, 0)
| eval suspicious_domain = if(match(dest_domain, "(?i)(twisinbeth|availableextens|decathlonm|gerikinage|growhth|brighyt|jsdelivrs)"), 1, 0)
| streamstats time_window=5m count(eval(fingerprint_event=1)) as fp_count by src_ip
| where suspicious_domain=1 AND fp_count > 0
| stats min(_time) as firstTime max(_time) as lastTime values(url) as urls by src_ip, user, dest_domain
| convert ctime(firstTime) ctime(lastTime)
| table src_ip, user, dest_domain, urls, firstTime, lastTime

Microsoft Defender/Sentinel (KQL)


// Detect fingerprinting library loading followed by suspicious connections
// Data Tables: DeviceNetworkEvents
// Tune: Adjust time correlation window and add known legitimate fingerprinting usage
let timeframe = 7d;
let correlation_window = 5m;
let suspicious_domains = dynamic(["twisinbeth.com", "availableextens.com", "decathlonm.com", 
                                   "gerikinage.com", "growhth.com", "brighyt.com", "jsdelivrs.com"]);
let fingerprint_events = 
    DeviceNetworkEvents
    | where Timestamp > ago(timeframe)
    | where RemoteUrl has "fingerprintjs" or RemoteUrl has "fingerprint2"
    | project DeviceName, FingerprintTime=Timestamp, LocalIP, InitiatingProcessFileName;
DeviceNetworkEvents
| where Timestamp > ago(timeframe)
| extend Domain = tostring(parse_url(RemoteUrl).Host)
| where Domain has_any (suspicious_domains)
| join kind=inner (fingerprint_events) on DeviceName, LocalIP
| where Timestamp between ((FingerprintTime) .. (FingerprintTime + correlation_window))
| summarize SuspiciousConnections=count(),
            FirstConnection=min(Timestamp),
            LastConnection=max(Timestamp),
            SuspiciousDomains=make_set(Domain),
            URLs=make_set(RemoteUrl, 10)
    by DeviceName, InitiatingProcessFileName, LocalIP
| project DeviceName, InitiatingProcessFileName, SuspiciousDomains, URLs, SuspiciousConnections, FirstConnection, LastConnection

Query 4: Registry Persistence in User Startup Locations

  • Behavior Targeted: Registry modifications establishing persistence through legitimate executable startup entries
  • MITRE ATT&CK: T1547.001 (Registry Run Keys / Startup Folder)
  • Expected Results: Registry changes adding executables from user directories to Run keys or Startup folders
  • False Positive Likelihood: Medium – Legitimate software installations may create startup entries, requiring validation of executable location and signing status

Splunk (SPL)


// Hunt for suspicious registry persistence mechanisms
// Tune: Add legitimate applications that create user-level startup entries to exclusions
index=endpoint sourcetype="WinEventLog:Security" EventCode=4657
| where (Object_Name="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*" OR 
         Object_Name="*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce*")
| rex field=Object_Value_Name "(?C:\\\\Users\\\\[^\"]+\.exe)"
| where isnotnull(exe_path)
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, Account_Name, Object_Name, Object_Value_Name, Process_Name
| convert ctime(firstTime) ctime(lastTime)
| where count <= 3
| table Computer, Account_Name, Object_Name, Object_Value_Name, Process_Name, count, firstTime, lastTime

Microsoft Defender/Sentinel (KQL)


// Hunt for suspicious registry persistence mechanisms
// Data Tables: DeviceRegistryEvents, DeviceProcessEvents
// Tune: Adjust lookback and add organizational legitimate startup applications
let timeframe = 7d;
let user_paths = dynamic([@"\Users\", @"\AppData\", @"\Temp\"]);
DeviceRegistryEvents
| where Timestamp > ago(timeframe)
| where RegistryKey has_any ("Run", "RunOnce")
| where RegistryValueData has_any (user_paths)
| extend ExecutablePath = tostring(extract(@"([C-Z]:\\[^\"]+\.exe)", 1, RegistryValueData))
| where isnotnull(ExecutablePath)
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(timeframe)
    | summarize ProcessExecution=count() by FolderPath
) on $left.ExecutablePath == $right.FolderPath
| summarize RegistryChanges=count(),
            FirstModification=min(Timestamp),
            LastModification=max(Timestamp),
            ExecutionCount=sum(ProcessExecution)
    by DeviceName, InitiatingProcessFileName, RegistryKey, RegistryValueName, ExecutablePath
| where RegistryChanges <= 3
| project DeviceName, InitiatingProcessFileName, RegistryKey, RegistryValueName, ExecutablePath, ExecutionCount, FirstModification, LastModification

Query 5: Cobalt Strike Beacon Detection via Watermark

  • Behavior Targeted: Network traffic or memory artifacts containing the specific Cobalt Strike Beacon watermark associated with APT24
  • MITRE ATT&CK: T1071.001 (Web Protocols), T1573 (Encrypted Channel)
  • Expected Results: Process memory or network payloads containing the unique watermark hash indicating Cobalt Strike deployment
  • False Positive Likelihood: Very Low – This specific watermark is strongly associated with APT24 operations

Splunk (SPL)


// Detect Cobalt Strike Beacon watermark in network or memory artifacts
// Tune: This query requires EDR with memory scanning or deep packet inspection capabilities
index=endpoint OR index=network
| eval beacon_watermark = if(match(_raw, "BeudtKgqnlm0Ruvf\+VYxuw=="), 1, 0)
| where beacon_watermark=1
| stats count min(_time) as firstTime max(_time) as lastTime by host, source, sourcetype
| convert ctime(firstTime) ctime(lastTime)
| table host, source, sourcetype, count, firstTime, lastTime

Microsoft Defender/Sentinel (KQL)


// Detect Cobalt Strike Beacon watermark in process memory or network data
// Data Tables: DeviceEvents, DeviceNetworkEvents, AlertEvidence
// Tune: Requires EDR with memory scanning capabilities enabled
let timeframe = 30d;
let beacon_watermark = "BeudtKgqnlm0Ruvf+VYxuw==";
union 
    (DeviceEvents
    | where Timestamp > ago(timeframe)
    | where AdditionalFields has beacon_watermark),
    (DeviceNetworkEvents
    | where Timestamp > ago(timeframe)
    | where AdditionalFields has beacon_watermark),
    (AlertEvidence
    | where Timestamp > ago(timeframe)
    | where AdditionalFields has beacon_watermark)
| summarize DetectionCount=count(),
            FirstDetection=min(Timestamp),
            LastDetection=max(Timestamp),
            ActionTypes=make_set(ActionType),
            Processes=make_set(FileName)
    by DeviceName, AccountName
| project DeviceName, AccountName, DetectionCount, ActionTypes, Processes, FirstDetection, LastDetection