
Detecting Cobalt Strike Beacon beyond the obvious indicators
A practical method for moving from a suspicious payload or connection to a defensible Beacon assessment using configuration, transport, process, and memory evidence.
Read note
A practical method for moving from a suspicious payload or connection to a defensible Beacon assessment using configuration, transport, process, and memory evidence.
Read note
A defender-first workflow for combining endpoint, DNS, HTTP, and memory evidence when Sliver is suspected.
Read note
A sample-led walk through format-string obfuscation, dynamic invocation, Base64 decoding, raw DEFLATE, and the recovered downloader.
Read noteI’m Justin Watson. My work sits across defensive cyber operations, threat analysis, incident response, and the systems used to turn evidence into decisions. This site is where I document methods, failed assumptions, useful tools, and findings worth carrying into the next investigation.