{
	"id": "acc4604a-1cd9-4809-8a7f-abb0dfd71b8a",
	"created_at": "2026-04-06T00:09:19.076008Z",
	"updated_at": "2026-04-10T13:12:06.726798Z",
	"deleted_at": null,
	"sha1_hash": "1a2fc564255d77feec8d8b5050f62c43637eaa64",
	"title": "Cobalt Strike: Overview – Part 7",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50977,
	"plain_text": "Cobalt Strike: Overview – Part 7\r\nBy Didier Stevens\r\nPublished: 2022-03-22 · Archived: 2026-04-05 21:35:13 UTC\r\nThis is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic.\r\nWe include videos for different analysis methods.\r\nIn part 1, we explain that Cobalt Strike traffic is encrypted using RSA and AES cryptography, and that we found\r\nprivate RSA keys that can help with decryption of Cobalt Strike traffic\r\nIn part 2, we actually decrypt traffic using private keys. Notice that one of the free, open source tools that we\r\ncreated to decrypt Cobalt Strike traffic, cs-parse-http-traffic.py, was a beta release. It has now been replaced by\r\ntool cs-parse-traffic.py. This tool is capable to decrypt HTTP(S) and DNS traffic. For HTTP(S), it’s a drop-in\r\nreplacement for cs-parse-http-traffic.py.\r\nIn part 3, we use process memory dumps to extract the decryption keys. This is for use cases where we don’t have\r\nthe private keys.\r\nIn part 4, we deal with some specific obfuscation: data transforms of encrypted traffic, and sleep mode in beacons’\r\nprocess memory.\r\nIn part 5, we handle Cobalt Strike DNS traffic.\r\nAnd finally, in part 6, we provide some tips to make memory dumps of Cobalt Strike beacons.\r\nThe tools used in these blog post are free and open source, and can be found here.\r\nHere are a couple of videos that illustrate the methods discussed in this series:\r\nUsing Known Private Keys To Decrypt Traffic\r\nUsing Process Memory To Decrypt Traffic\r\nDealing With Obfuscated Traffic And Process Memory\r\nDecrypting DNS Traffic\r\nYouTube playlist “Cobalt Strike: Decrypting Traffic“\r\nBlog posts in this series:\r\nCobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1\r\nCobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2\r\nCobalt Strike: Using Process Memory To Decrypt Traffic – Part 3\r\nCobalt Strike: Decrypting Obfuscated Traffic – Part 4\r\nCobalt Strike: Decrypting DNS Traffic – Part 5\r\nhttps://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/\r\nPage 1 of 2\n\nCobalt Strike: Memory Dumps – Part 6\r\nAbout the authors\r\nDidier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler\r\nand Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find\r\nDidier on Twitter and LinkedIn.\r\nYou can follow NVISO Labs on Twitter to stay up to date on all our future research and publications.\r\nPublished March 22, 2022March 22, 2022\r\nPost navigation\r\nSource: https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/\r\nhttps://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/"
	],
	"report_names": [
		"cobalt-strike-overview-part-7"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434159,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a2fc564255d77feec8d8b5050f62c43637eaa64.pdf",
		"text": "https://archive.orkl.eu/1a2fc564255d77feec8d8b5050f62c43637eaa64.txt",
		"img": "https://archive.orkl.eu/1a2fc564255d77feec8d8b5050f62c43637eaa64.jpg"
	}
}