{
	"id": "95565306-0b8d-4649-bec8-62e577b284e9",
	"created_at": "2026-04-06T00:10:17.098154Z",
	"updated_at": "2026-04-10T13:12:28.033912Z",
	"deleted_at": null,
	"sha1_hash": "2f497dfa0e5fefd9d621879ebca60cb5751461bd",
	"title": "PCAPs and Beacons - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 147411,
	"plain_text": "PCAPs and Beacons - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 13:56:21 UTC\r\nI like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a capture file with\r\nCobalt Strike traffic.\r\nWith regular expression \"^/....$\" I look for URIs that are typical for Cobalt Strike shellcode (and Metasploit too):\r\nFollowing this HTTP stream, I see data that looks encoded and has some repetitions, so this might be some kind of\r\nXOR encoding:\r\nhttps://isc.sans.edu/diary/rss/27176\r\nPage 1 of 5\n\nI export this data stream as a file:\r\nhttps://isc.sans.edu/diary/rss/27176\r\nPage 2 of 5\n\nhttps://isc.sans.edu/diary/rss/27176\r\nPage 3 of 5\n\nThen pass it through my 1768.py Cobalt Strike beacon analysis tool:\r\nAnd this is indeed the configuration of a beacon.\r\nDidier Stevens\r\nSenior handler\r\nhttps://isc.sans.edu/diary/rss/27176\r\nPage 4 of 5\n\nMicrosoft MVP\r\nblog.DidierStevens.com DidierStevensLabs.com\r\nSource: https://isc.sans.edu/diary/rss/27176\r\nhttps://isc.sans.edu/diary/rss/27176\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/27176"
	],
	"report_names": [
		"27176"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f497dfa0e5fefd9d621879ebca60cb5751461bd.pdf",
		"text": "https://archive.orkl.eu/2f497dfa0e5fefd9d621879ebca60cb5751461bd.txt",
		"img": "https://archive.orkl.eu/2f497dfa0e5fefd9d621879ebca60cb5751461bd.jpg"
	}
}