Analyzing Cobalt Strike Beacons, Servers and Traffic
2025-09-05 , Workshops 1

In this workshop, we will use tools developed by Didier Stevens to deal (analysis & traffic decryption) with malicious Cobalt Strike beacons.

There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pentest".
That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.


Attendees will have to bring a laptop with Python and Wireshark/Tshark.
They must be prepared to handle real malware, thus a virtual machine to perform the analysis in is recommended.
Windows, Linux and macOS are suitable.
Didier will perform the workshop inside a Windows VM.

Didier Stevens (SANS ISC Senior Handler) is a Senior Analyst working at NVISO. Didier has developed and published more than 100 open-source tools mostly for malware analysis, several of them popular in the security community. You can find his open source security tools on his IT security related blog https://blog.DidierStevens.com