 Hello, Didier Stevens here, Senior Handler at the Internet Storm Center. About 10 days ago I released version 0015 of my Cobalt Strike Beacon Analysis Tool, 1768. And what I introduced was a sanity check for configurations. And that is something that is useful when you analyze memory dumps of machines, of infected machines. So let me show you. So I'm running my tool on a memory dump of a Windows 10 machine. It's just a VMware snapshot here. And so my tool will work on any memory dump that is not compressed and that is also linear. So it's about an 8 GB file. My tool will read the file and then search for configurations. And here you have a bunch of configurations, but these are actually all false positives. So the tool finds something that resembles the header of a configuration, but then when it decodes it, the values are not meaningful. Like the payload type, for example, is 6363848, that's not an existing payload type. So what I did introduce is a sanity check. And that's what you see here, sanity check, Cobalt Strike Config, not okay. So what the tool will do is check the payload type and the public key, both values FDB present. And then the tool will also check if these are reasonable values, values that are normal. If that is not the case, then the configuration is not okay. What I also did is add more information when a de-opfuscation routine is found. So these are based on the YARA rules from Elastic to detect the de-opfuscation routine. And as you can see here in memory, the de-opfuscation routine for 64-bit and 32-bit were found here quite close to each other, which is unusual. Because if the machine is truly infected, you would find 64 or 32-bit, not both. They would not be near each other. What's actually happening here is that the de-opfuscation routine finds the YARA rule hits on the signatures of the antivirus running on the machine here. And that is something you can see with verbose mode. So here we have an extra decimal ASCII dump before and after the signature that was found. As you can see here, it says Elastic, HKTL, Cobblestrike, Beacon 4, 2, decrypt. So this is actually an antivirus signature. And here, for example, you can see another one, Trojan, HyperStack. And the same for the 32-bit. So these two are false positives. Now another option that I introduced is the sanity check version. If you run that option, then configs that don't pass the sanity check will not be listed. So here now all those false positives are gone. All you see is a sleep mask. And for the sleep mask, we also determined here that this is a false positive. Just for information, so it's a standard Windows 10 machine from which I took the snapshot here. So that is Microsoft Defender that is running on that machine. Now I do have another snapshot of that same machine where I actually have a beacon running. So let's take a look at this. So here too, we find configurations that don't pass the sanity check. But here we do find one that passes the sanity check. So if we run this with option S, we should only see that configuration. And that is indeed a true configuration. It's a true positive. We have an HTTP reverse beacon. Here you can see the public key and here also the server and the URI. Now remark that the configuration is not complete after the URI, but there's no more values. And what's probably happening here is that this configuration is on two different memory pages and that those memory pages are not consecutive in the file. So we only find that part and not the other part.