# Cobalt Strike Analysis > Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux. **FOR610 Labs:** 3.4 ## Steps ### Step 1: Beacon Detection **Tools:** [[tools/yara|yara]], [[tools/capa|capa]] Scan suspect file with YARA rules for CS signatures. capa detects 'receive data from C2' and beacon-like capabilities. Check for: characteristic 200KB+ size, sleep patterns. ```bash yara-rules specimen.bin capa specimen.exe ``` ### Step 2: Configuration Extraction **Tools:** [[tools/1768-py|1768-py]] Parse beacon config: 1768.py . Extracts: C2 URLs, user-agent, beacon interval, watermark, spawn-to process, named pipes, proxy config. ```bash 1768.py shellcode.bin ``` ### Step 3: Metadata Decryption **Tools:** [[tools/cs-decrypt-metadata-py|cs-decrypt-metadata-py]] Decrypt beacon metadata from network captures: cs-decrypt-metadata.py . Reveals: computer name, user, process info sent to team server. ```bash cs-decrypt-metadata.py ``` ### Step 4: Key Extraction **Tools:** [[tools/cs-extract-key-py|cs-extract-key-py]] Extract encryption keys: cs-extract-key.py -f . Recovers AES and HMAC keys used for C2 communication encryption. ```bash cs-extract-key.py -f ``` ### Step 5: Traffic Decryption **Tools:** [[tools/cs-parse-traffic-py|cs-parse-traffic-py]] Decrypt C2 traffic: cs-parse-traffic.py -f -k . Reveals: tasking commands, downloaded payloads, exfiltrated data. ```bash cs-parse-traffic.py -f -k ``` ### Step 6: Sleep Mask Analysis **Tools:** [[tools/cs-analyze-processdump-py|cs-analyze-processdump-py]] Analyze sleep mask: cs-analyze-processdump.py . Detects if beacon encrypts itself in memory during sleep. Useful for memory forensics. ```bash cs-analyze-processdump.py ``` ### Step 7: Document Findings Record: C2 domains/IPs, beacon interval, watermark (operator ID), user-agent strings, named pipe patterns, spawn-to process, malleable C2 profile indicators. #cobalt-strike #c2 #beacon #didier-stevens #threat-intel #workflow