Beacon

This detection identifies a DLL decoding and executing the PowGoop config.txt payload, indicating a stage in the MuddyWater infection chain where an obfuscated PowerShell beacon is unwrapped and live C2 communication starts.

This brief outlines detection strategies for default Cobalt Strike PowerShell beacons, which are used for command and control, by identifying specific function and variable names within PowerShell script block logs.