2025-09-05 –, Workshops 1
In this workshop, we will use tools developed by Didier Stevens to deal (analysis & traffic decryption) with malicious Cobalt Strike beacons.
There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pentest".
That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.
Attendees will have to bring a laptop with Python and Wireshark/Tshark.
They must be prepared to handle real malware, thus a virtual machine to perform the analysis in is recommended.
Windows, Linux and macOS are suitable.
Didier will perform the workshop inside a Windows VM.
Didier Stevens (SANS ISC Senior Handler) is a Senior Analyst working at NVISO. Didier has developed and published more than 100 open-source tools mostly for malware analysis, several of them popular in the security community. You can find his open source security tools on his IT security related blog https://blog.DidierStevens.com