Analyzing Cobalt Strike Beacons, Servers and Traffic
10-18, 10:00–12:00 (Europe/Luxembourg), Hollenfels

In this 2 hour workshop, we will use new tools developed by Didier Stevens to deal with malicious Cobalt Strike beacons.

There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pen test".
That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.

Didier has developed tools to extract the configuration of Cobalt Strike beacons, to detect Cobalt Strike beacons and to analyze/decrypt Cobalt Strike network traffic.

These tools allow you to deal with Cobalt Strike beacons, without having to reverse engineer malicious code.

Didier is Senior Analyst, working for NVISO.

Next to his professional activities, Didier is also a Microsoft MVP (2011-2016 awarded MVP Consumer Security, 2016-2023 awarded MVP Windows Insider) and a SANS Internet Storm Center Senior Handler. 

He is an expert in malicious documents (PDF and Microsoft Office), pioneering research into maldocs?and authoring free, open-source analysis tools and private red team tools.

This speaker also appears in: