Cobalt Strike has become the attack tool of choice among enlightened global threat actors, making an appearance in almost every recent major hack. Cobalt Strike is an extremely capable and stealthy tool suite, but log analysis can level the playing field, providing many opportunities for detection. This workshop will leverage data sourced from SANS FOR508: Advanced Incident Response, Threat Hunting and Digital Forensics to provide insight into how Cobalt Strike operates and how to detect many of its characteristics via endpoint logs. Whether you are just starting out in threat hunting or a FOR508 alumni, there will be something for everyone in this new workshop!
Prerequisites: Participants will need a system running the Windows operating system to perform Windows event log analysis (virtual machines are okay).While logs will be provided in CSV format for attendees without access to Windows, your experience will be greatly diminished without native access to Windows logging libraries. Some familiarity with Windows event log is desirable.
System Requirements: Prior to the workshop, participants should prepare the following:
Lab materials should be downloaded here: https://sansurl.com/cobalt-strike-workshop-labs/
An optional final part of the workshop will include working with Cobalt Strike beacon malware. Examples will be given using SANS Linux-based SIFT virtual machine available here: https://digital-forensics.sans.org/community/downloads
*Please note: Due to the nature of these workshops, many have a capacity limit, so to help us offer this opportunity to as many people as possible, we are asking that you please only register if you plan to attend live.