Cobalt Strike, a tool that support red teams in attack simulation exercises, provides several techniques to execute attacks that compromise a target network, establish a bulkhead in the network, and then move laterally to gain additional access to computers, accounts and, eventually, data. While the intention of Cobalt Strike was to provide a framework to test network defenses, the power provided by the tool was not lost on malicious actors. Given its dual nature and wide adoption by both sides of the security battlefield, it is not surprising that Cobalt Strike-related detections account for a substantial portion of alerts in most networks. This presentation discusses how Cobalt Strike’s abused components (especially the Beacon) can be detected at the host and network levels.