World-class instructors teaching today's, critical cyber skills - SANS Online Training


Sorry, this webcast has hit its registration limit. Please check back after the webcast for an archive.

Tech Tuesday Workshop – Cobalt Strike Detection via Log Analysis

  • Tuesday, May 11, 2021 at 1:00 PM EDT (2021-05-11 17:00:00 UTC)
  • Chad Tilbury

You can now attend the webcast using your mobile device!



Cobalt Strike has become the attack tool of choice among enlightened global threat actors, making an appearance in almost every recent major hack. Cobalt Strike is an extremely capable and stealthy tool suite, but log analysis can level the playing field, providing many opportunities for detection. This workshop will leverage data sourced from SANS FOR508: Advanced Incident Response, Threat Hunting and Digital Forensics to provide insight into how Cobalt Strike operates and how to detect many of its characteristics via endpoint logs. Whether you are just starting out in threat hunting or a FOR508 alumni, there will be something for everyone in this new workshop!

Prerequisites: Participants will need a system running the Windows operating system to perform Windows event log analysis (virtual machines are okay).While logs will be provided in CSV format for attendees without access to Windows, your experience will be greatly diminished without native access to Windows logging libraries. Some familiarity with Windows event log is desirable.

System Requirements: Prior to the workshop, participants should prepare the following:

An optional final part of the workshop will include working with Cobalt Strike beacon malware. Examples will be given using SANS Linux-based SIFT virtual machine available here:

*Please note: Due to the nature of these workshops, many have a capacity limit, so to help us offer this opportunity to as many people as possible, we are asking that you please only register if you plan to attend live.

Speaker Bio

Chad Tilbury

Chad has over 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies. He served as a Special Agent with the Air Force Office of Special Investigations, where he investigated and conducted computer forensics for a variety of crimes, including murder, abduction, espionage, fraud, hacking, intellectual property theft, child exploitation, terrorism, and computer intrusions. He has led international forensic teams, built forensic departments, and spent over eight years as an incident response consultant and technical director with Mandiant and CrowdStrike. Here at SANS, Chad is a senior instructor and co-author for two six-day courses: FOR500: Windows Forensic Analysis, which focuses on the core skills required to become a certified forensic practitioner, and FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics, which teaches sophisticated computer intrusion analysis and advanced threat hunting techniques.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.