Awesome CobaltStrike Defence Save

Defences against Cobalt Strike

Project README


Defences against Cobalt Strike

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.

Cobalt Strike MITRE TTPs

Cobalt Strike MITRE ATT&CK Navigator

Hunting & Detection Tools


Pointer - Cobalt Strike Hunting


Beacon Hunter

Cobalt Spam

Cobalt Strike Team Server Password Brute Forcer

CobaltStrikeScan Scan files or process memory for Cobalt Strike beacons and parse their configuration

Cobalt Strike beacon scan

Cobalt Strike decrypt

Detecting CobaltStrike for Volatility

JARM fingerprints scanner

Cobalt Strike Forensic

Cobalt Strike resources

List of C2 JARM including Cobalt Strike


Detection Cobalt Strike stomp

Cobalt Strike Built-In Lateral Movement Capabilities Based On CONTI Leak Mind Map

ThreatHunting Jupyter Notebooks - Notes on Detecting Cobalt Strike Activity

Random C2 Profile Generator

Python parser for CobaltStrike Beacon's configuration

Yara rules

Cobalt Strike Yara

Sigma rules

Cobalt Strike sigma rules Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. (check in the future for updates or new rules)

Indicators of compromise

Cobalt Strike hashes

Possible Cobalt Strike Stager IOCs

List of Cobalt Strike servers

Possible Cobalt Strike ioc's

Cobalt Strike Trevor Profiles

Cobalt Strike & Metasploit servers

ThreatFox Database(Cobalt Strike)by

Hunting & Detection Research Articles

Cobalt Strike Metadata Encoding and Decoding

Cobalt Strike Metadata Encryption and Decryption

Cobalt Strike Malleable C2 Profile

Hunting Cobalt Strike Servers

Extracting Cobalt Strike from Windows Error Reporting

Mining data from Cobalt Strike beacons Report


Cobalt Strike as a Threat to Healthcare from U.S. Department of Health & Human Services - Health Sector Cybersecurity Coordination Center (HC3)

Detecting Conti Cobalt Strike Lateral Movement Techniques Part 1

Detecting Conti Cobalt Strike Lateral Movement Techniques Part 2

CobaltStrike Beacon Config Parsing with CyberChef — Malware Mondays #2

Cobalt Strike Hunting – Key items to look for

Identify malicious servers / Cobalt Strike servers with JARM

Full-Spectrum Cobalt Strike Detection

Cobalt Strike, a Defender’s Guide

Cobalt Strike, a Defender’s Guide – Part 2

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike

Cobalt Strike and Tradecraft

Analysing Cobalt Strike for fun and profit

Cobalt Strike Remote Threads detection

The art and science of detecting Cobalt Strike

Detecting Cobalt Strike Default Modules via Named Pipe Analysis

A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers

How to detect Cobalt Strike activities in memory forensics

Detecting Cobalt Strike by Fingerprinting Imageload Events

The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration

CobaltStrike - beacon.dll : Your No Ordinary MZ Header

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic

Detecting Cobalt Strike beacons in NetFlow data

Volatility Plugin for Detecting Cobalt Strike Beacon

Easily Identify Malicious Servers on the Internet with JARM

Cobalt Strike Beacon Analysis

Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike

Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike

Hiding in the Cloud: Cobalt Strike Beacon C2 using Amazon APIs

Identifying Cobalt Strike team servers in the wild

Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature

Operation Cobalt Kitty

Detecting and Advancing In-Memory .NET Tradecraft

Analysing Fileless Malware: Cobalt Strike Beacon CobaltStrike samples pass=infected

IndigoDrop spreads via military-themed lures to deliver Cobalt Strike

Cobalt Group Returns To Kazakhstan

Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability

Azure Sentinel Quick-Deploy with Cyb3rWard0g’s Sentinel To-Go – Let’s Catch Cobalt Strike!

Cobalt Strike stagers used by FIN6

Malleable C2 Profiles and You List of spawns from exposed Cobalt Strike C2

C2 Traffic patterns including Cobalt Strike

CobaltStrike Threat Hunting via named Pipes

Hunting for GetSystem in offensive security tools

Hunting and Detecting Cobalt Strike

Detecting Cobalt Strike with memory signatures

How to detect CobaltStrike Command & Control communication

Red Canary Threat Detection Report 2021 - Cobalt Strike

Detecting Exposed Cobalt Strike DNS Redirectors

Decoding Cobalt Strike Traffic

Anatomy of Cobalt Strike’s DLL Stager




Enterprise Scale Threat Hunting: C2 Beacon Detection with Unsupervised ML and KQL Part 1
Part 2

Detecting network beacons via KQL using simple spread stats functions

Cobalt Strike Hunting — simple PCAP and Beacon Analysis

Guide to Named Pipes and Hunting for Cobalt Strike Pipes

Detecting C&C Malleable Profiles

FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets The report itself is not about Cobalt Strike, but FIN12 makes heavy use of the CS. We have a whole section about it in the report: "Cobalt Strike / BEACON TTPs"

Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis

Cobalt Strike: Using Known Private Keys To Decrypt Traffic (part 1) (part 2)

Cobalt Strike: Using Process Memory To Decrypt Traffic

Cobalt Strike: Decrypting Obfuscated Traffic

Cobalt Strike: Decrypting DNS Traffic

Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory

Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence

Collecting Cobalt Strike Beacons with the Elastic Stack

Extracting Cobalt Strike Beacon Configurations


Attack detection fundamentals including also Cobalt Strike detection

Cobalt Strike Detection via Log Analysis Workshop


Malleable Memory Indicators with Cobalt Strike's Beacon Payload

STAR Webcast: Spooky RYUKy: The Return of UNC1878

Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection

Profiling And Detecting All Things SSL With JA3

Hunting beacons by Bartosz Jerzman (x33fcon conf)

Striking Back: Hunting Cobalt Strike Using Sysmon And Sentinel by Randy Pargman

Making Sense Of Encrypted Cobalt Strike Traffic

Cobalt Strike Threat Hunting | SANS DFIR Summit 2021 | Chad Tilbury

SiegeCast "COBALT STRIKE BASICS" with Tim Medin and Joe Vest

Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory by Didier Stevens

Mining The Shadows with ZoidbergStrike: A Scanner for Cobalt Strike

Open Source Agenda is not affiliated with "Awesome CobaltStrike Defence" Project. README Source: MichaelKoczwara/Awesome-CobaltStrike-Defence
Open Issues
Last Commit
2 months ago

Open Source Agenda Badge

Open Source Agenda Rating