# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog

**isc.sans.edu/diary/rss/27176**

**Published: 2021-03-07**

**Last Updated: 2021-03-07 20:55:50 UTC**

**by** [Didier Stevens (Version: 1)](https://isc.sans.edu/handler_list.html#didier-stevens)

[I like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a](https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike/27158/)
capture file with Cobalt Strike traffic.

With regular expression "^/....$" I look for URIs that are typical for Cobalt Strike shellcode
(and Metasploit too):

Following this HTTP stream, I see data that looks encoded and has some repetitions, so this
might be some kind of XOR encoding:


-----

I export this data stream as a file:


-----

-----

Then pass it through my [1768.py Cobalt Strike beacon analysis tool:](https://blog.didierstevens.com/2020/12/27/update-1768-py-version-0-0-4/)

And this is indeed the configuration of a beacon.


-----

Didier Stevens
Senior handler
Microsoft MVP
[blog.DidierStevens.com](http://blog.didierstevens.com/) [DidierStevensLabs.com](http://didierstevenslabs.com/)


-----