COBALT STRIKE |
| 2022-09-06 | Didier Stevens | Analysis of an Encoded Cobalt Strike Beacon |
| 2022-08-28 | Didier Stevens | Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons |
| 2022-08-24 | Brad Duncan | Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC |
| 2022-08-12 | Brad Duncan | Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike |
| 2022-07-27 | Brad Duncan | IcedID (Bokbot) with Dark VNC and Cobalt Strike |
| 2022-07-07 | Brad Duncan | Emotet infection with Cobalt Strike |
| 2022-06-30 | Brad Duncan | Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended |
| 2022-06-17 | Brad Duncan | Malspam pushes Matanbuchus malware, leads to Cobalt Strike |
| 2022-05-19 | Brad Duncan | Bumblebee Malware from TransferXL URLs |
| 2022-03-16 | Brad Duncan | Qakbot infection with Cobalt Strike and VNC activity |
| 2022-02-09 | Brad Duncan | Example of Cobalt Strike from Emotet infection |
| 2021-12-16 | Brad Duncan | How the "Contact Forms" campaign tricks people |
| 2021-09-15 | Brad Duncan | Hancitor campaign abusing Microsoft's OneDrive |
| 2021-08-11 | Brad Duncan | TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike |
| 2021-07-09 | Brad Duncan | Hancitor tries XLL as initial malware file |
| 2021-06-30 | Brad Duncan | June 2021 Forensic Contest: Answers and Analysis |
| 2021-03-03 | Brad Duncan | Qakbot infection with Cobalt Strike |
| 2021-02-03 | Brad Duncan | Excel spreadsheets push SystemBC malware |
| 2019-11-20 | Brad Duncan | Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike |
COBALT |
| 2025-03-10/a> | Xavier Mertens | Shellcode Encoded in UUIDs |
| 2023-12-15/a> | Xavier Mertens | CSharp Payload Phoning to a CobaltStrike Server |
| 2023-12-05/a> | Didier Stevens | Cobalt Strike's "Runtime Configuration" |
| 2022-09-06/a> | Didier Stevens | Analysis of an Encoded Cobalt Strike Beacon |
| 2022-08-28/a> | Didier Stevens | Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons |
| 2022-08-24/a> | Brad Duncan | Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC |
| 2022-08-12/a> | Brad Duncan | Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike |
| 2022-07-27/a> | Brad Duncan | IcedID (Bokbot) with Dark VNC and Cobalt Strike |
| 2022-07-07/a> | Brad Duncan | Emotet infection with Cobalt Strike |
| 2022-06-30/a> | Brad Duncan | Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended |
| 2022-06-17/a> | Brad Duncan | Malspam pushes Matanbuchus malware, leads to Cobalt Strike |
| 2022-05-19/a> | Brad Duncan | Bumblebee Malware from TransferXL URLs |
| 2022-03-16/a> | Brad Duncan | Qakbot infection with Cobalt Strike and VNC activity |
| 2022-02-09/a> | Brad Duncan | Example of Cobalt Strike from Emotet infection |
| 2022-01-09/a> | Didier Stevens | Extracting Cobalt Strike Beacons from MSBuild Scripts |
| 2021-12-16/a> | Brad Duncan | How the "Contact Forms" campaign tricks people |
| 2021-11-07/a> | Didier Stevens | Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory |
| 2021-11-06/a> | Didier Stevens | Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory |
| 2021-10-25/a> | Didier Stevens | Decrypting Cobalt Strike Traffic With a "Leaked" Private Key |
| 2021-09-15/a> | Brad Duncan | Hancitor campaign abusing Microsoft's OneDrive |
| 2021-08-11/a> | Brad Duncan | TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike |
| 2021-07-09/a> | Brad Duncan | Hancitor tries XLL as initial malware file |
| 2021-06-30/a> | Brad Duncan | June 2021 Forensic Contest: Answers and Analysis |
| 2021-05-30/a> | Didier Stevens | Video: Cobalt Strike & DNS - Part 1 |
| 2021-03-15/a> | Didier Stevens | Finding Metasploit & Cobalt Strike URLs |
| 2021-03-03/a> | Brad Duncan | Qakbot infection with Cobalt Strike |
| 2021-02-14/a> | Didier Stevens | Video: tshark & Malware Analysis |
| 2021-02-03/a> | Brad Duncan | Excel spreadsheets push SystemBC malware |
| 2021-01-13/a> | Brad Duncan | Hancitor activity resumes after a hoilday break |
| 2020-11-23/a> | Didier Stevens | Quick Tip: Cobalt Strike Beacon Analysis |
| 2019-11-20/a> | Brad Duncan | Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike |
STRIKE |
| 2025-03-10/a> | Xavier Mertens | Shellcode Encoded in UUIDs |
| 2024-07-22/a> | Johannes Ullrich | CrowdStrike: The Monday After |
| 2024-07-19/a> | Johannes Ullrich | Widespread Windows Crashes Due to Crowdstrike Updates |
| 2023-12-15/a> | Xavier Mertens | CSharp Payload Phoning to a CobaltStrike Server |
| 2023-12-05/a> | Didier Stevens | Cobalt Strike's "Runtime Configuration" |
| 2022-09-06/a> | Didier Stevens | Analysis of an Encoded Cobalt Strike Beacon |
| 2022-08-28/a> | Didier Stevens | Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons |
| 2022-08-24/a> | Brad Duncan | Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC |
| 2022-08-12/a> | Brad Duncan | Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike |
| 2022-07-27/a> | Brad Duncan | IcedID (Bokbot) with Dark VNC and Cobalt Strike |
| 2022-07-07/a> | Brad Duncan | Emotet infection with Cobalt Strike |
| 2022-06-30/a> | Brad Duncan | Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended |
| 2022-06-17/a> | Brad Duncan | Malspam pushes Matanbuchus malware, leads to Cobalt Strike |
| 2022-05-19/a> | Brad Duncan | Bumblebee Malware from TransferXL URLs |
| 2022-03-16/a> | Brad Duncan | Qakbot infection with Cobalt Strike and VNC activity |
| 2022-02-09/a> | Brad Duncan | Example of Cobalt Strike from Emotet infection |
| 2022-01-09/a> | Didier Stevens | Extracting Cobalt Strike Beacons from MSBuild Scripts |
| 2021-12-16/a> | Brad Duncan | How the "Contact Forms" campaign tricks people |
| 2021-11-07/a> | Didier Stevens | Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory |
| 2021-11-06/a> | Didier Stevens | Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory |
| 2021-10-25/a> | Didier Stevens | Decrypting Cobalt Strike Traffic With a "Leaked" Private Key |
| 2021-09-15/a> | Brad Duncan | Hancitor campaign abusing Microsoft's OneDrive |
| 2021-08-11/a> | Brad Duncan | TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike |
| 2021-07-09/a> | Brad Duncan | Hancitor tries XLL as initial malware file |
| 2021-06-30/a> | Brad Duncan | June 2021 Forensic Contest: Answers and Analysis |
| 2021-05-30/a> | Didier Stevens | Video: Cobalt Strike & DNS - Part 1 |
| 2021-03-15/a> | Didier Stevens | Finding Metasploit & Cobalt Strike URLs |
| 2021-03-03/a> | Brad Duncan | Qakbot infection with Cobalt Strike |
| 2021-02-14/a> | Didier Stevens | Video: tshark & Malware Analysis |
| 2021-02-03/a> | Brad Duncan | Excel spreadsheets push SystemBC malware |
| 2021-01-13/a> | Brad Duncan | Hancitor activity resumes after a hoilday break |
| 2020-11-23/a> | Didier Stevens | Quick Tip: Cobalt Strike Beacon Analysis |
| 2019-11-20/a> | Brad Duncan | Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike |
