# 1768.py
> Parse Cobalt Strike beacon configuration from shellcode or memory dumps

**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens
**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)

## Usage
```bash
1768.py shellcode.bin
```

## Recipes
- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]]

## Workflows
- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis
- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 4: Framework Identification
- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 2: Configuration Extraction

## Related Tools
- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.

## FOR610
**Labs:** 3.4
**Sections:** 3

#cobalt-strike #beacon #c2-config #didier-stevens