I updated my Cobalt Strike beacon analysis tool 1768.py to deal with false positives in Windows system’s memory dumps.
When my tool is given a process memory dump or a system’s full memory dump, it will search for the header of a beacon configuration.
This often gives false positives in full memory dumps. I have now introduced a sanity check (option -S), to hide these false positives.
Here is a short howto video.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Photo Credit:
English: Diagram for False Positives and False Negatives and True Negatives and False Negatives. Created on PowerPoint.
Date 2 August 2022
Source Own work
Author Qwertyxp2000
Licensing
I, the copyright holder of this work, hereby publish it under the following license:
w:en:Creative Commons
