Diaries by Keyword - SANS Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/

Handler on Duty: Didier Stevens

Threat Level: green

Date	Author	Title
COBALT STRIKE
2022-09-06	Didier Stevens	Analysis of an Encoded Cobalt Strike Beacon
2022-08-28	Didier Stevens	Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
2022-08-24	Brad Duncan	Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12	Brad Duncan	Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27	Brad Duncan	IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-07	Brad Duncan	Emotet infection with Cobalt Strike
2022-06-30	Brad Duncan	Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-17	Brad Duncan	Malspam pushes Matanbuchus malware, leads to Cobalt Strike
2022-05-19	Brad Duncan	Bumblebee Malware from TransferXL URLs
2022-03-16	Brad Duncan	Qakbot infection with Cobalt Strike and VNC activity
2022-02-09	Brad Duncan	Example of Cobalt Strike from Emotet infection
2021-12-16	Brad Duncan	How the "Contact Forms" campaign tricks people
2021-09-15	Brad Duncan	Hancitor campaign abusing Microsoft's OneDrive
2021-08-11	Brad Duncan	TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
2021-07-09	Brad Duncan	Hancitor tries XLL as initial malware file
2021-06-30	Brad Duncan	June 2021 Forensic Contest: Answers and Analysis
2021-03-03	Brad Duncan	Qakbot infection with Cobalt Strike
2021-02-03	Brad Duncan	Excel spreadsheets push SystemBC malware
2019-11-20	Brad Duncan	Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
COBALT
2022-09-06/a>	Didier Stevens	Analysis of an Encoded Cobalt Strike Beacon
2022-08-28/a>	Didier Stevens	Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
2022-08-24/a>	Brad Duncan	Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12/a>	Brad Duncan	Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27/a>	Brad Duncan	IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-07/a>	Brad Duncan	Emotet infection with Cobalt Strike
2022-06-30/a>	Brad Duncan	Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-17/a>	Brad Duncan	Malspam pushes Matanbuchus malware, leads to Cobalt Strike
2022-05-19/a>	Brad Duncan	Bumblebee Malware from TransferXL URLs
2022-03-16/a>	Brad Duncan	Qakbot infection with Cobalt Strike and VNC activity
2022-02-09/a>	Brad Duncan	Example of Cobalt Strike from Emotet infection
2022-01-09/a>	Didier Stevens	Extracting Cobalt Strike Beacons from MSBuild Scripts
2021-12-16/a>	Brad Duncan	How the "Contact Forms" campaign tricks people
2021-11-07/a>	Didier Stevens	Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-11-06/a>	Didier Stevens	Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-10-25/a>	Didier Stevens	Decrypting Cobalt Strike Traffic With a "Leaked" Private Key
2021-09-15/a>	Brad Duncan	Hancitor campaign abusing Microsoft's OneDrive
2021-08-11/a>	Brad Duncan	TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
2021-07-09/a>	Brad Duncan	Hancitor tries XLL as initial malware file
2021-06-30/a>	Brad Duncan	June 2021 Forensic Contest: Answers and Analysis
2021-05-30/a>	Didier Stevens	Video: Cobalt Strike & DNS - Part 1
2021-03-15/a>	Didier Stevens	Finding Metasploit & Cobalt Strike URLs
2021-03-03/a>	Brad Duncan	Qakbot infection with Cobalt Strike
2021-02-14/a>	Didier Stevens	Video: tshark & Malware Analysis
2021-02-03/a>	Brad Duncan	Excel spreadsheets push SystemBC malware
2021-01-13/a>	Brad Duncan	Hancitor activity resumes after a hoilday break
2020-11-23/a>	Didier Stevens	Quick Tip: Cobalt Strike Beacon Analysis
2019-11-20/a>	Brad Duncan	Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
STRIKE
2022-09-06/a>	Didier Stevens	Analysis of an Encoded Cobalt Strike Beacon
2022-08-28/a>	Didier Stevens	Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
2022-08-24/a>	Brad Duncan	Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12/a>	Brad Duncan	Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27/a>	Brad Duncan	IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-07/a>	Brad Duncan	Emotet infection with Cobalt Strike
2022-06-30/a>	Brad Duncan	Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-17/a>	Brad Duncan	Malspam pushes Matanbuchus malware, leads to Cobalt Strike
2022-05-19/a>	Brad Duncan	Bumblebee Malware from TransferXL URLs
2022-03-16/a>	Brad Duncan	Qakbot infection with Cobalt Strike and VNC activity
2022-02-09/a>	Brad Duncan	Example of Cobalt Strike from Emotet infection
2022-01-09/a>	Didier Stevens	Extracting Cobalt Strike Beacons from MSBuild Scripts
2021-12-16/a>	Brad Duncan	How the "Contact Forms" campaign tricks people
2021-11-07/a>	Didier Stevens	Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-11-06/a>	Didier Stevens	Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
2021-10-25/a>	Didier Stevens	Decrypting Cobalt Strike Traffic With a "Leaked" Private Key
2021-09-15/a>	Brad Duncan	Hancitor campaign abusing Microsoft's OneDrive
2021-08-11/a>	Brad Duncan	TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
2021-07-09/a>	Brad Duncan	Hancitor tries XLL as initial malware file
2021-06-30/a>	Brad Duncan	June 2021 Forensic Contest: Answers and Analysis
2021-05-30/a>	Didier Stevens	Video: Cobalt Strike & DNS - Part 1
2021-03-15/a>	Didier Stevens	Finding Metasploit & Cobalt Strike URLs
2021-03-03/a>	Brad Duncan	Qakbot infection with Cobalt Strike
2021-02-14/a>	Didier Stevens	Video: tshark & Malware Analysis
2021-02-03/a>	Brad Duncan	Excel spreadsheets push SystemBC malware
2021-01-13/a>	Brad Duncan	Hancitor activity resumes after a hoilday break
2020-11-23/a>	Didier Stevens	Quick Tip: Cobalt Strike Beacon Analysis
2019-11-20/a>	Brad Duncan	Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike

COBALT STRIKE

COBALT

STRIKE