# Cobalt Strike: Overview – Part 7 **blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/** March 22, 2022 [Blogpost series: Cobalt Strike: Decrypting Traffic](https://blog.nviso.eu/series/cobalt-strike-decrypting-traffic/) _This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of_ _Cobalt Strike traffic. We include videos for different analysis methods._ In [part 1, we explain that Cobalt Strike traffic is encrypted using RSA and AES cryptography,](https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/) and that we found private RSA keys that can help with decryption of Cobalt Strike traffic In [part 2, we actually decrypt traffic using private keys. Notice that one of the free, open](https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/) source tools that we created to decrypt Cobalt Strike traffic, [cs-parse-http-traffic.py, was a](https://github.com/DidierStevens/Beta/blob/master/cs-parse-http-traffic.py) [beta release. It has now been replaced by tool cs-parse-traffic.py. This tool is capable to](https://github.com/DidierStevens/DidierStevensSuite/blob/master/cs-parse-traffic.py) decrypt HTTP(S) and DNS traffic. For HTTP(S), it’s a drop-in replacement for cs-parse-httptraffic.py. In [part 3, we use process memory dumps to extract the decryption keys. This is for use](https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/) cases where we don’t have the private keys. In [part 4, we deal with some specific obfuscation: data transforms of encrypted traffic, and](https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/) sleep mode in beacons’ process memory. In [part 5, we handle Cobalt Strike DNS traffic.](https://blog.nviso.eu/2021/11/29/cobalt-strike-decrypting-dns-traffic-part-5/) And finally, in [part 6, we provide some tips to make memory dumps of Cobalt Strike beacons.](https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/) [The tools used in these blog post are free and open source, and can be found here.](https://blog.didierstevens.com/programs/cobalt-strike-tools/) Here are a couple of videos that illustrate the methods discussed in this series: [Using Known Private Keys To Decrypt Traffic](https://www.youtube.com/watch?v=D3z6YAFs-l4) [Using Process Memory To Decrypt Traffic](https://youtu.be/7OvqebeLe1E) ----- [Dealing With Obfuscated Traffic And Process Memory](https://youtu.be/jRKhfh1ogiE) [Decrypting DNS Traffic](https://youtu.be/exJcDd9AWnk) [YouTube playlist “Cobalt Strike: Decrypting Traffic“](https://www.youtube.com/watch?v=D3z6YAFs-l4&list=PLo4ItFFtz-jwE29gJz-JkjWUWCnHmeYvo) Blog posts in this series: [Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1](https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/) [Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2](https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/) [Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3](https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/) [Cobalt Strike: Decrypting Obfuscated Traffic – Part 4](https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/) [Cobalt Strike: Decrypting DNS Traffic – Part 5](https://blog.nviso.eu/2021/11/29/cobalt-strike-decrypting-dns-traffic-part-5/) [Cobalt Strike: Memory Dumps – Part 6](https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/) **About the authors** Didier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler and Microsoft MVP, and has developed numerous popular tools to [assist with malware analysis. You can find Didier on Twitter and](https://twitter.com/DidierStevens) [LinkedIn.](https://be.linkedin.com/in/didierstevens) [You can follow NVISO Labs on Twitter to stay up to date on all our future research and](https://twitter.com/NVISO_Labs) publications. Series Navigation [<< Cobalt Strike: Memory Dumps – Part 6](https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/) -----