Date Author Title

COBALT STRIKE

2022-09-06Didier StevensAnalysis of an Encoded Cobalt Strike Beacon
2022-08-28Didier StevensDealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
2022-08-24Brad DuncanMonster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12Brad DuncanMonster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27Brad DuncanIcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-07Brad DuncanEmotet infection with Cobalt Strike
2022-06-30Brad DuncanCase Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-17Brad DuncanMalspam pushes Matanbuchus malware, leads to Cobalt Strike
2022-05-19Brad DuncanBumblebee Malware from TransferXL URLs
2022-03-16Brad DuncanQakbot infection with Cobalt Strike and VNC activity
2022-02-09Brad DuncanExample of Cobalt Strike from Emotet infection
2021-12-16Brad DuncanHow the "Contact Forms" campaign tricks people
2021-09-15Brad DuncanHancitor campaign abusing Microsoft's OneDrive
2021-08-11Brad DuncanTA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
2021-07-09Brad DuncanHancitor tries XLL as initial malware file
2021-06-30Brad DuncanJune 2021 Forensic Contest: Answers and Analysis
2021-03-03Brad DuncanQakbot infection with Cobalt Strike
2021-02-03Brad DuncanExcel spreadsheets push SystemBC malware
2019-11-20Brad DuncanHancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike

COBALT

2022-09-06/a>Didier StevensAnalysis of an Encoded Cobalt Strike Beacon
2022-08-28/a>Didier StevensDealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
2022-08-24/a>Brad DuncanMonster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12/a>Brad DuncanMonster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27/a>Brad DuncanIcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-07/a>Brad DuncanEmotet infection with Cobalt Strike
2022-06-30/a>Brad DuncanCase Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-17/a>Brad DuncanMalspam pushes Matanbuchus malware, leads to Cobalt Strike
2022-05-19/a>Brad DuncanBumblebee Malware from TransferXL URLs
2022-03-16/a>Brad DuncanQakbot infection with Cobalt Strike and VNC activity
2022-02-09/a>Brad DuncanExample of Cobalt Strike from Emotet infection
2022-01-09/a>Didier StevensExtracting Cobalt Strike Beacons from MSBuild Scripts
2021-12-16/a>Brad DuncanHow the "Contact Forms" campaign tricks people
2021-11-07/a>Didier StevensVideo: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-11-06/a>Didier StevensDecrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-10-25/a>Didier StevensDecrypting Cobalt Strike Traffic With a "Leaked" Private Key
2021-09-15/a>Brad DuncanHancitor campaign abusing Microsoft's OneDrive
2021-08-11/a>Brad DuncanTA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
2021-07-09/a>Brad DuncanHancitor tries XLL as initial malware file
2021-06-30/a>Brad DuncanJune 2021 Forensic Contest: Answers and Analysis
2021-05-30/a>Didier StevensVideo: Cobalt Strike & DNS - Part 1
2021-03-15/a>Didier StevensFinding Metasploit & Cobalt Strike URLs
2021-03-03/a>Brad DuncanQakbot infection with Cobalt Strike
2021-02-14/a>Didier StevensVideo: tshark & Malware Analysis
2021-02-03/a>Brad DuncanExcel spreadsheets push SystemBC malware
2021-01-13/a>Brad DuncanHancitor activity resumes after a hoilday break
2020-11-23/a>Didier StevensQuick Tip: Cobalt Strike Beacon Analysis
2019-11-20/a>Brad DuncanHancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike

STRIKE

2022-09-06/a>Didier StevensAnalysis of an Encoded Cobalt Strike Beacon
2022-08-28/a>Didier StevensDealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
2022-08-24/a>Brad DuncanMonster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12/a>Brad DuncanMonster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27/a>Brad DuncanIcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-07/a>Brad DuncanEmotet infection with Cobalt Strike
2022-06-30/a>Brad DuncanCase Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-17/a>Brad DuncanMalspam pushes Matanbuchus malware, leads to Cobalt Strike
2022-05-19/a>Brad DuncanBumblebee Malware from TransferXL URLs
2022-03-16/a>Brad DuncanQakbot infection with Cobalt Strike and VNC activity
2022-02-09/a>Brad DuncanExample of Cobalt Strike from Emotet infection
2022-01-09/a>Didier StevensExtracting Cobalt Strike Beacons from MSBuild Scripts
2021-12-16/a>Brad DuncanHow the "Contact Forms" campaign tricks people
2021-11-07/a>Didier StevensVideo: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-11-06/a>Didier StevensDecrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-10-25/a>Didier StevensDecrypting Cobalt Strike Traffic With a "Leaked" Private Key
2021-09-15/a>Brad DuncanHancitor campaign abusing Microsoft's OneDrive
2021-08-11/a>Brad DuncanTA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
2021-07-09/a>Brad DuncanHancitor tries XLL as initial malware file
2021-06-30/a>Brad DuncanJune 2021 Forensic Contest: Answers and Analysis
2021-05-30/a>Didier StevensVideo: Cobalt Strike & DNS - Part 1
2021-03-15/a>Didier StevensFinding Metasploit & Cobalt Strike URLs
2021-03-03/a>Brad DuncanQakbot infection with Cobalt Strike
2021-02-14/a>Didier StevensVideo: tshark & Malware Analysis
2021-02-03/a>Brad DuncanExcel spreadsheets push SystemBC malware
2021-01-13/a>Brad DuncanHancitor activity resumes after a hoilday break
2020-11-23/a>Didier StevensQuick Tip: Cobalt Strike Beacon Analysis
2019-11-20/a>Brad DuncanHancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike