Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons

Published: 2022-08-28. Last Updated: 2022-08-28 11:24:43 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I updated my Cobalt Strike beacon analysis tool 1768.py to deal with false positives in Windows system's memory dumps.

When my tool is given a process memory dump or a system's full memory dump, it will search for the header of a beacon configuration.

This often gives false positives in full memory dumps. I have now introduced a sanity check (option -S), to hide these false positives.

Here is a short howto video.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: 1768 cobalt strike
0 comment(s)

Comments


Diary Archives