Beacon is Cobalt Strike's payload to model advanced attackers. Use Beacon to egress a network over HTTP, HTTPS, or DNS. You may also limit which hosts egress a network by controlling peer-to-peer Beacons over Windows named pipes.
Like Meterpreter, you may deliver Beacon, directly into memory, with a Metasploit Framework exploit or a Cobalt Strike attack.
Beacon is flexible and supports asynchronous and interactive communication. Asynchronous communication is low and slow. Beacon will phone home, download its tasks, and go to sleep. Interactive communication happens in real-time. In this mode, Beacon becomes a pivot for the Metasploit Framework and Meterpreter.
Beacon's network indicators are malleable. Redefine Beacon's communication with Cobalt Strike's malleable C2 language. This allows you to cloak Beacon activity to look like other malware or blend-in as legitimate traffic.
To use Beacon, you must start a Beacon listener. Go to Cobalt Strike -> Listeners. Press Add.
The Port field specifies the port Beacon will use for its HTTP or HTTPS traffic. The DNS Beacon will always start a DNS server on port 53.
windows/beacon_http/reverse_http is Cobalt Strike's HTTP beacon. This beacon will check for tasks and download them over HTTP. Once you press Save, Cobalt Strike will ask you to provide a list of domains to beacon to. Create DNS A records that point to your Cobalt Strike IP address. If you do not control any domains (shame on you!), provide your IP address in this box.
windows/beacon_https/reverse_https is Cobalt Strike's HTTPS Beacon. This variant of Beacon will SSL encrypt its communication.
Hybrid HTTP and DNS Beacon
windows/beacon_dns/reverse_http is Cobalt Strike's Hybrid HTTP and DNS beacon. This beacon will use DNS to check if tasks are available. If no tasks are available, it will go back to sleep. The Hybrid HTTP and DNS Beacon may use HTTP or DNS as a data channel to get tasks and send output to you.
Once you press Save, Cobalt Strike will ask you to provide a list of domains to beacon to. Create DNS NS records for these domains that point to your Cobalt Strike IP address. You must make Cobalt Strike authoritative for these domains.
To test your DNS configuration, open a terminal and type nslookup jibberish.beacon.domain. If you get an A record reply of 0.0.0.0--then your DNS is correctly setup. If you do not get a reply, then your DNS configuration is not correct and the Hybrid HTTP and DNS Beacon will not communicate with you.
Make sure your DNS records reference the primary address on your network interface. Cobalt Strike's DNS server will always send responses from your network interface's primary address. DNS resolvers tend to drop replies when they request information from one server, but receive a reply from another.
If you are behind a NAT device, make sure you use your public IP address for the NS record and set your firewall to forward UDP traffic on port 53 to your system. Cobalt Strike includes a DNS server to control Beacon.
If Beacon does not connect to you, go to Cobalt Strike -> Listeners. Review the domains and IP addresses it's calling back to. Cobalt Strike will not update the beacon host list if your IP address changes.
Cobalt Strike Attacks
You may use Beacon with all of Cobalt Strike's attack packages. Create a Beacon listener once and this listener will show up when you setup a Cobalt Strike attack package.
If you setup a DNS Beacon listener, some Cobalt Strike packages will give you two listener options. The first option, listed as listener name, will stage Beacon over HTTP with a Cobalt Strike-specific stager. This HTTP stager is fast and passes through many proxy configurations.
The second option, listed as listener name (DNS), will stage Beacon over the DNS protocol with a Cobalt Strike--specific stager. The DNS stager is valuable for tough egress situations, but--you should use it only when the normal stager is not an option. The DNS Stager will generate a lot of DNS requests and it's not as fast as the normal stager. The DNS stager is available for use with Cobalt Strike's social engineering packages.
You may deliver Beacon with a Metasploit® Framework exploit. Double-click the PAYLOAD option in a module launcher dialog and choose your Beacon listener. Cobalt Strike will configure the module for you.
You may also use Beacon from a Metasploit® Framework console tab. Beacon's C&C server is compatible with the Metasploit® Framework's stagers for Meterpreter. To stage HTTP or DNS Beacon, specify windows/meterpreter/reverse_http as your payload. To stage HTTPS Beacon, specify windows/meterpreter/reverse_https as your payload. Set LHOST to your Cobalt Strike system's IP address, and set LPORT to the port your Beacon web server is listening on.
Managing Beacon Sessions
Cobalt Strike treats a Beacon session different from a Meterpreter session. Hosts infected with Beacon will not turn red with lightning bolts indicating access. To view and manage your Beacon sessions, go to View -> Beacons.
In this tab, Cobalt Strike shows your active Beacons. You will see the external IP address of the Beacon, the internal IP address, when the Beacon last called home, and other information. A * next to the user indicates that the Beacon has administrator privileges.
If you use the Hybrid HTTP and DNS beacon, be aware that Cobalt Strike will not know anything about a host until it checks in for the first time. If you see an entry with a last call time and that's it, you will need to give that Beacon its first task to see more information.
Press Remove to remove a beacon. If the beacon calls home again, it will show up again. Use the Remove button to get rid of stale beacons.
Highlight one or more Beacons and right-click to choose from common post-exploitation options:
The Log Keystrokes menu lets you Start or Stop the keystroke logger built into Beacon. Once started, the keystroke logger will collect keystrokes and post them to you after each check in. The keystroke logger requires that Beacon reside in a process associated with an active desktop session. Beacon can not log keystrokes if it doesn't see them.
Use Message to task Beacon to post a message to the desktop. This is a silly command, but it has its uses. Again, Beacon must reside in a process associated with the desktop you want to post to.
Try Set Note... to assign a note to your Beacon. These notes exist to help you manage Beacons as you see fit. This information is immediately available to your teammates. The note does not persist when you shutdown Cobalt Strike.
Use Sleep to change Beacon's sleep time. Beacon will wait however long you specify between check ins. A higher sleep time makes Beacon harder to catch.
Select Spawn to ask Beacon to spawn a session for you. The Spawn dialog will show listeners from all of the Cobalt Strike team servers you're connected to. This is a simple way to send sessions to another server dedicated to noisy post-exploitation activity.
Use Task URL to ask Beacon to download a file and execute it. This is a great way to quickly deploy another remote administration tool (e.g., DarkComet) to several systems at once.
The Upload menu will upload a file to the target system through Beacon.
Use Clear to quickly clear Beacon's command queue. This is useful if you or someone on your team makes a mistake.
Kill will task Beacon to exit.
The Beacon Manager exposes only some of Beacon's functionality. To take advantage of Beacon, you must use the Beacon console. To open a Beacon console, highlight a Beacon, and press Interact.
The Beacon console allows you to see which tasks were issued to a Beacon and to see when it downloads them. The Beacon console is also where all command output, logged keystrokes, and other information will appear.
Type help in the Beacon console to see available commands. Type help followed by the command name to get more detailed help. Tab completion is available in the Beacon console as well.
Use the sleep command to specify Beacon's sleep time in seconds. By default, Beacon's sleep time has no variance built in. If you'd like the sleep times to vary, specify a jitter percentage after the sleep time. For example, sleep 300 20, will force Beacon to sleep for 300 seconds with a 20% jitter percentage. This means, Beacon will sleep for a random value between 240s to 300s after each check-in.
Use sleep 0 to make Beacon check-in multiple times a second. This is interactive mode.
The Hybrid HTTP and DNS Beacon uses HTTP as a data channel by default. If you're using this form of Beacon, you may ask Beacon to download tasks and send output over the DNS protocol.
Type mode dns to ask Beacon to download tasks with DNS A records. Use mode dns-txt to ask Beacon to get tasks with DNS TXT records. DNS TXT records carry 189 bytes of data per request versus 4 bytes for an A record request. DNS A record requests are more common in network traffic.
Use mode http to signal Beacon to download tasks and send output with the HTTP protocol again. You may change between data channels as needed while using the Hybrid HTTP and DNS Beacon.
The mode dns and mode dns-txt commands have no effect on the HTTP Beacon.
Peer-to-Peer Command and Control
The SMB Beacon is designed for peer-to-peer communication with other Beacons. To gain control of it, another Beacon must link to it.
windows/beacon_smb/reverse_tcp is Cobalt Strike's SMB Beacon. This payload stages Cobalt Strike's SMB Beacon over a TCP connection. When you create an SMB Beacon listener, the Port specifies the port for the staging process only.
You do not need to create an SMB Beacon listener to use SMB Beacon. It's more common to generate a staged SMB Beacon executable or DLL, run it on a target, and link to it from another Beacon. Go to Attacks -> Packages -> Windows Executable (S) and select SMB Beacon.
An HTTP or DNS Beacon may become an SMB Beacon. Use mode smb to make this change happen. Once a Beacon becomes an SMB Beacon, there is no way to make it beacon over HTTP or DNS again. If you'd like to kill an SMB Beacon, use the exit command. If you'd like to make the host beacon over HTTP or DNS, task the SMB Beacon to give you another Beacon session.
Cobalt Strike's PsExec and PsExec (psh) login options will deliver an SMB Beacon for you. Select the beacon (connect to target) option in the Listener field. This will deliver SMB Beacon with a bind_tcp payload stager.
Linking and Unlinking
Use link [ip address] to link the current Beacon to an SMB Beacon that is waiting for a connection. When the current Beacon checks in, its linked peers will check in too.
To blend in with normal traffic, linked Beacons use Windows named pipes to communicate. This traffic is encapsulated in the SMB protocol. There are a few caveats to this approach:
- Hosts with a Beacon peer must accept connections on port 445.
- You may only link Beacons managed by the same Cobalt Strike instance.
If you get an error 5 (access denied) after you try to link to a Beacon: steal a domain user's token or use shell net use \\host /U:DOMAIN\user password to establish a session with the host. An administrator user is not required for this. Any valid domain user will do. Once you have a session, try to link to the Beacon again.
To destroy a Beacon link use unlink [ip address] in the parent or child. Later, you may link to the unlinked Beacon again (or link to it from another Beacon).
Post Exploitation with Beacon
Beacon's shell command will send a task to execute a command via cmd.exe on the compromised host. When the command completes, Beacon will present the output to you. Use the execute command to execute a command without cmd.exe and without posting output to you.
Use the powershell command to execute a command with PowerShell on the compromised host. The powershell-import command will import a PowerShell script into Beacon. Future uses of the powershell command will have cmdlets from the imported script available to them. Beacon will only hold one PowerShell script at a time.
If you want Beacon to execute commands from a specific directory, use the cd command in the Beacon console to switch the working directory of the Beacon's process.
Beacon's keystroke logger injects into the process you choose and reports keystrokes back to you. Use keylogger pid to inject into an x86 process. Use keylogger pid x64 to inject into an x64 process. explorer.exe is usually a good candidate.
You will receive keystrokes when Beacon checks in. If you're using the Hybrid HTTP and DNS Beacon, use checkin to force Beacon to connect to you and provide captured keystrokes.
Beware that multiple keystroke loggers may conflict with eachother. Use only one keystroke logger per desktop session.
Manage Post-Exploitation Jobs
Beacon treats each shell, powershell, and keystroke logger instance as a job. These jobs run in the background and report their output when it's available. Use the jobs command to see which jobs are running in your Beacon. Use jobkill to kill a job.
Type spawn followed by a listener name to task Beacon to spawn a session for a listener. This command is the same as the right-click Spawn menu item.
By default, the spawn command will spawn a session in rundll32.exe. An alert administrator may find it strange that rundll32.exe is periodically making connections to the internet. Find a better program (e.g., Internet Explorer) and use the spawnto command to state which program Beacon should spawn sessions into.
The spawnto command expects the full path to the program. Type spawnto by itself and press enter to instruct Beacon to go back to its default behavior.
Type inject followed by a process id and a listener name to inject a session into a specific process. Use ps to get a list of processes on the current system.
The inject and spawn commands both inject a stager for the desired listener into memory. This stager tries to connect back to you to stage the requested payload into memory. If the stager can not get past any egress restrictions or blocks that are in place, you will not get a session.
Upload and Download Files
The download command will download the requested file. You do not need to provide quotes around a filename with spaces in it. Beacon is built for low and slow exfil of data. Beacon will download 512KB of each file it's tasked to get after a check in.
To view files downloaded through Beacon, go to View -> Downloads in Cobalt Strike.
The upload command will upload a file to the host. Beacon is not able to upload files larger than 1MB.
Use the meterpreter command to request a Meterpreter session that tunnels its traffic through the current Beacon. When tunneling Meterpreter through Beacon, use sleep 0 to make Beacon check in several times each second.
Beacon will use the current data channel to stage Meterpreter. Meterpreter is big. If mode dns-txt is the data channel, it will take several minutes (over internet DNS infrastructure) to stage Meterpreter. Don't try to stage Meterpreter with mode dns as your data channel.
If HTTP is a viable egress option for you, type mode http before you issue the meterpreter command to use HTTP as a data channel. Once you have a Meterpreter session, you may use one of Beacon's other data channels to manage the Meterpreter session.
Use socks 8080 to setup a SOCKS4a proxy server on port 8080 (or any other port you choose). This will setup a SOCKS proxy server to tunnel traffic through Beacon. Beacon's sleep time adds latency to any traffic you tunnel through it. Use sleep 0 to make Beacon check-in several times a second.
Beacon's HTTP data channel is the most responsive for pivoting purposes. If you'd like to pivot traffic over DNS, use the DNS TXTrecord communication mode.
You may use proxychains to tunnel external tools through Beacon.
Use socks stop to disable the SOCKS proxy server.
You may also tunnel Metasploit® Framework exploits and modules through Beacon. Create a Beacon SOCKS proxy [as described above] and then go to a Metasploit® Framework Console tab (View -> Console). Type:
setg Proxies socks4:127.0.0.1:8080
setg ReverseAllowProxy true
This command will set the Metasploit® Framework Proxies option for all modules executed from this point forward. This option forces the Metasploit® Framework to direct traffic through a SOCKS4 proxy on 127.0.0.1:8080. If you use a different port for Beacon, specify it in the option. Once you're done pivoting through Beacon in this way, use unsetg Proxies to stop this behavior.
Privilege Escalation (getsystem)
Use getsystem to impersonate a token for the SYSTEM account. This level of access may allow you to perform privileged actions that are not possible as an Administrator user.
Use runas [user] [password] [command] to run a command as another user using their credentials. The runas command will not return any output. You may use runas from a non-privileged context though.
Privilege Escalation (UAC Bypass)
Microsoft introduced User Account Control (UAC) in Windows Vista and refined it in Windows 7. UAC works a lot like sudo in UNIX. Day-to-day a user works with normal privileges. When the user needs to perform a privileged action--the system asks if they would like to elevate their rights.
Use bypassuac [listener] to spawn a session in a process with elevated rights. This privilege escalation technique takes advantage of a loophole in the UAC default settings on Windows 7 and later. This command will not work if the current user is not in the Administrators group or if UAC is set to its highest setting. To check if the current user is in the Administrators group, use shell whoami /groups.
Beacon's UAC bypass will drop a DLL file to disk and remove the DLL when it's done. Beacon uses Cobalt Strike's Artifact Kit to generate an anti-virus safe DLL.
Credential and Hash Harvesting
Use the hashdump command to inject into LSASS and dump the password hashes for users on the current system. The wdigest command will use mimikatz to recover plaintext passwords for users who interactively logged on ot the current system since last reboot.
Beacon integrates mimikatz. Use the mimikatz command to pass any command to mimikatz's command dispatcher. For example, mimikatz standard::coffee will give you a cup of coffee. Beacon will take care to inject a mimikatz instance that matches the native architecture of your target. Some mimikatz commands must run as SYSTEM to work. Prefix a command with a ! to force mimikatz to elevate to SYSTEM before it runs your command. For example, mimikatz !lsa::cache will recover salted password hashes cached by the system.
Token Stealing and Lateral Movement
When a user logs onto a Windows host, an access token is generated. This token contains information about the user and their rights. The access token also holds information needed to authenticate the user to another system on the same Active Directory domain. You may steal a token from another process and apply it to your Beacon. When you do this, you may interact with other systems on the domain as that user.
Use steal_tolen [process id] to impersonate a token from an existing process. If you'd like to see which processes are running use ps. The getuid command will print your current token. Use rev2self to revert back to your original token.
Once you have a token for a domain admin or a domain user who is a local admin on a target, you may copy an executable to the target and run it. This abuse of trust relationships is lateral movement.
The SMB Beacon is the best choice for lateral movement. Use Attacks -> Packages -> Windows Executable (S) to generate a fully staged SMB Beacon as a Windows Service Executable. Upload this executable through Beacon and copy it to the target system:
shell copy foobar.exe \\host\C$\windows\temp
Use the Windows sc command to create a service on the target system and start it:
shell sc \\host create foobar binpath= "c:\windows\temp\foobar.exe"
shell sc \\host start foobar
The sc command requires an executable that responds to Service Control Manager commands. Cobalt Strike's Windows Executable (S) dialog will create a Windows Service Executable if you select it as the Output option.
Make sure you clean up after yourself:
shell sc \\host delete foobar
shell del \\host\C$\windows\temp\foobar.exe
Use link host to assume control of the SMB Beacon on the target host.
Use kerberos_ticket_use [/path/to/ticket] to inject a Kerberos ticket into the current session. This will allow Beacon to interact with remote systems using the rights in this ticket. Try this with a Golden Ticket generated by mimikatz 2.0.
Use kerberos_ticket_purge to clear any kerberos tickets associated with your session.
Beacon has a few other commands not covered above.
The clear command will clear Beacon's task list. Use this if you make a mistake.
Use dllinject [pid] to inject a Reflective DLL into a process.
Type exit to ask Beacon to exit.
Use kill [pid] to terminate a process.
Use the task [url] to ask Beacon to download a file from a URL and execute it.
Use timestomp to match the Modified, Accessed, and Created times of one file to those of another file.