Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
I updated my Cobalt Strike beacon analysis tool 1768.py to deal with false positives in Windows system's memory dumps.
When my tool is given a process memory dump or a system's full memory dump, it will search for the header of a beacon configuration.
This often gives false positives in full memory dumps. I have now introduced a sanity check (option -S), to hide these false positives.
Here is a short howto video.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
Keywords: 1768 cobalt strike
0 comment(s)
×
Diary Archives
Comments