PCAPs and Beacons - SANS Internet Storm Center
By SANS Internet Storm Center
Archived: 2026-04-05 13:56:21 UTC
I like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a capture file with
Cobalt Strike traffic.
With regular expression "^/....$" I look for URIs that are typical for Cobalt Strike shellcode (and Metasploit too):
Following this HTTP stream, I see data that looks encoded and has some repetitions, so this might be some kind of
XOR encoding:
https://isc.sans.edu/diary/rss/27176
Page 1 of 5

I export this data stream as a file:
https://isc.sans.edu/diary/rss/27176
Page 2 of 5

https://isc.sans.edu/diary/rss/27176
Page 3 of 5

Then pass it through my 1768.py Cobalt Strike beacon analysis tool:
And this is indeed the configuration of a beacon.
Didier Stevens
Senior handler
https://isc.sans.edu/diary/rss/27176
Page 4 of 5

Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
Source: https://isc.sans.edu/diary/rss/27176
https://isc.sans.edu/diary/rss/27176
Page 5 of 5