Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons

I updated my Cobalt Strike beacon analysis tool to deal with false positives in Windows system's memory dumps.

When my tool is given a process memory dump or a system's full memory dump, it will search for the header of a beacon configuration.

This often gives false positives in full memory dumps. I have now introduced a sanity check (option -S), to hide these false positives.

Here is a short howto video.


Didier Stevens
Senior handler
Microsoft MVP


677 Posts
ISC Handler
Aug 28th 2022

Sign Up for Free or Log In to start participating in the conversation!