============================================================
  Cobalt Strike Analysis
============================================================

  Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux.

  Related FOR610 Labs: 3.4

────────────────────────────────────────────────────────────

  Step 1: Beacon Detection
  Tools: yara, capa
  Scan suspect file with YARA rules for CS signatures.
  capa detects 'receive data from C2' and beacon-like
  capabilities. Check for: characteristic 200KB+ size,
  sleep patterns.

    $ yara-rules specimen.bin
    $ capa specimen.exe

  Step 2: Configuration Extraction
  Tools: 1768-py
  Parse beacon config: 1768.py <sample>. Extracts: C2
  URLs, user-agent, beacon interval, watermark, spawn-to
  process, named pipes, proxy config.

    $ 1768.py shellcode.bin

  Step 3: Metadata Decryption
  Tools: cs-decrypt-metadata-py
  Decrypt beacon metadata from network captures: cs-
  decrypt-metadata.py <metadata>. Reveals: computer
  name, user, process info sent to team server.

    $ cs-decrypt-metadata.py <metadata_hex>

  Step 4: Key Extraction
  Tools: cs-extract-key-py
  Extract encryption keys: cs-extract-key.py -f
  <process_dump>. Recovers AES and HMAC keys used for C2
  communication encryption.

    $ cs-extract-key.py -f <process_dump>

  Step 5: Traffic Decryption
  Tools: cs-parse-traffic-py
  Decrypt C2 traffic: cs-parse-traffic.py -f <pcap> -k
  <keys>. Reveals: tasking commands, downloaded
  payloads, exfiltrated data.

    $ cs-parse-traffic.py -f <capture.pcap> -k <keys_file>

  Step 6: Sleep Mask Analysis
  Tools: cs-analyze-processdump-py
  Analyze sleep mask: cs-analyze-processdump.py <dump>.
  Detects if beacon encrypts itself in memory during
  sleep. Useful for memory forensics.

    $ cs-analyze-processdump.py <process_dump>

  Step 7: Document Findings
  Record: C2 domains/IPs, beacon interval, watermark
  (operator ID), user-agent strings, named pipe
  patterns, spawn-to process, malleable C2 profile
  indicators.

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
