Internet Storm Center
Sign In
Sign Up
Handler on Duty:
Johannes Ullrich
Threat Level:
green
Date
Author
Title
COBALT STRIKE
2022-09-06
Didier Stevens
Analysis of an Encoded Cobalt Strike Beacon
2022-08-28
Didier Stevens
Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
2022-08-24
Brad Duncan
Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12
Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27
Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-07
Brad Duncan
Emotet infection with Cobalt Strike
2022-06-30
Brad Duncan
Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-17
Brad Duncan
Malspam pushes Matanbuchus malware, leads to Cobalt Strike
2022-05-19
Brad Duncan
Bumblebee Malware from TransferXL URLs
2022-03-16
Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
2022-02-09
Brad Duncan
Example of Cobalt Strike from Emotet infection
2021-12-16
Brad Duncan
How the "Contact Forms" campaign tricks people
2021-09-15
Brad Duncan
Hancitor campaign abusing Microsoft's OneDrive
2021-08-11
Brad Duncan
TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
2021-07-09
Brad Duncan
Hancitor tries XLL as initial malware file
2021-06-30
Brad Duncan
June 2021 Forensic Contest: Answers and Analysis
2021-03-03
Brad Duncan
Qakbot infection with Cobalt Strike
2021-02-03
Brad Duncan
Excel spreadsheets push SystemBC malware
2019-11-20
Brad Duncan
Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
COBALT
2025-03-10/a>
Xavier Mertens
Shellcode Encoded in UUIDs
2023-12-15/a>
Xavier Mertens
CSharp Payload Phoning to a CobaltStrike Server
2023-12-05/a>
Didier Stevens
Cobalt Strike's "Runtime Configuration"
2022-09-06/a>
Didier Stevens
Analysis of an Encoded Cobalt Strike Beacon
2022-08-28/a>
Didier Stevens
Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
2022-08-24/a>
Brad Duncan
Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12/a>
Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27/a>
Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-07/a>
Brad Duncan
Emotet infection with Cobalt Strike
2022-06-30/a>
Brad Duncan
Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-17/a>
Brad Duncan
Malspam pushes Matanbuchus malware, leads to Cobalt Strike
2022-05-19/a>
Brad Duncan
Bumblebee Malware from TransferXL URLs
2022-03-16/a>
Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
2022-02-09/a>
Brad Duncan
Example of Cobalt Strike from Emotet infection
2022-01-09/a>
Didier Stevens
Extracting Cobalt Strike Beacons from MSBuild Scripts
2021-12-16/a>
Brad Duncan
How the "Contact Forms" campaign tricks people
2021-11-07/a>
Didier Stevens
Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-11-06/a>
Didier Stevens
Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-10-25/a>
Didier Stevens
Decrypting Cobalt Strike Traffic With a "Leaked" Private Key
2021-09-15/a>
Brad Duncan
Hancitor campaign abusing Microsoft's OneDrive
2021-08-11/a>
Brad Duncan
TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
2021-07-09/a>
Brad Duncan
Hancitor tries XLL as initial malware file
2021-06-30/a>
Brad Duncan
June 2021 Forensic Contest: Answers and Analysis
2021-05-30/a>
Didier Stevens
Video: Cobalt Strike & DNS - Part 1
2021-03-15/a>
Didier Stevens
Finding Metasploit & Cobalt Strike URLs
2021-03-03/a>
Brad Duncan
Qakbot infection with Cobalt Strike
2021-02-14/a>
Didier Stevens
Video: tshark & Malware Analysis
2021-02-03/a>
Brad Duncan
Excel spreadsheets push SystemBC malware
2021-01-13/a>
Brad Duncan
Hancitor activity resumes after a hoilday break
2020-11-23/a>
Didier Stevens
Quick Tip: Cobalt Strike Beacon Analysis
2019-11-20/a>
Brad Duncan
Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
STRIKE
2025-03-10/a>
Xavier Mertens
Shellcode Encoded in UUIDs
2024-07-22/a>
Johannes Ullrich
CrowdStrike: The Monday After
2024-07-19/a>
Johannes Ullrich
Widespread Windows Crashes Due to Crowdstrike Updates
2023-12-15/a>
Xavier Mertens
CSharp Payload Phoning to a CobaltStrike Server
2023-12-05/a>
Didier Stevens
Cobalt Strike's "Runtime Configuration"
2022-09-06/a>
Didier Stevens
Analysis of an Encoded Cobalt Strike Beacon
2022-08-28/a>
Didier Stevens
Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
2022-08-24/a>
Brad Duncan
Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12/a>
Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27/a>
Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-07/a>
Brad Duncan
Emotet infection with Cobalt Strike
2022-06-30/a>
Brad Duncan
Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-17/a>
Brad Duncan
Malspam pushes Matanbuchus malware, leads to Cobalt Strike
2022-05-19/a>
Brad Duncan
Bumblebee Malware from TransferXL URLs
2022-03-16/a>
Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
2022-02-09/a>
Brad Duncan
Example of Cobalt Strike from Emotet infection
2022-01-09/a>
Didier Stevens
Extracting Cobalt Strike Beacons from MSBuild Scripts
2021-12-16/a>
Brad Duncan
How the "Contact Forms" campaign tricks people
2021-11-07/a>
Didier Stevens
Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-11-06/a>
Didier Stevens
Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-10-25/a>
Didier Stevens
Decrypting Cobalt Strike Traffic With a "Leaked" Private Key
2021-09-15/a>
Brad Duncan
Hancitor campaign abusing Microsoft's OneDrive
2021-08-11/a>
Brad Duncan
TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
2021-07-09/a>
Brad Duncan
Hancitor tries XLL as initial malware file
2021-06-30/a>
Brad Duncan
June 2021 Forensic Contest: Answers and Analysis
2021-05-30/a>
Didier Stevens
Video: Cobalt Strike & DNS - Part 1
2021-03-15/a>
Didier Stevens
Finding Metasploit & Cobalt Strike URLs
2021-03-03/a>
Brad Duncan
Qakbot infection with Cobalt Strike
2021-02-14/a>
Didier Stevens
Video: tshark & Malware Analysis
2021-02-03/a>
Brad Duncan
Excel spreadsheets push SystemBC malware
2021-01-13/a>
Brad Duncan
Hancitor activity resumes after a hoilday break
2020-11-23/a>
Didier Stevens
Quick Tip: Cobalt Strike Beacon Analysis
2019-11-20/a>
Brad Duncan
Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
Homepage
Diaries
Podcasts
Jobs
Data
TCP/UDP Port Activity
Port Trends
SSH/Telnet Scanning Activity
Weblogs
Threat Feeds Activity
Threat Feeds Map
Useful InfoSec Links
Presentations & Papers
Research Papers
API
Tools
DShield Sensor
DNS Looking Glass
Honeypot (RPi/AWS)
InfoSec Glossary
Contact Us
Contact Us
About Us
Handlers
About Us
Slack Channel
Mastodon
Bluesky
X
Make the web a better place by
sharing the SANS Internet Storm Center
with others
