Beacon Gate

The beacon_gate block determines what WinAPIs Beacon will forward to the Sleepmask. By default, the Sleepmask will automatically mask Beacon for any API that is proxied (and subsequently) executed via BeaconGate. However, masking will be automatically disabled when you task Beacon to become interactive (< 3s) to avoid CPU spikes.

The default behavior can be customized via implementing a User Defined Sleepmask via the BEACON_SLEEP_MASK Aggressor hook. For an example of how to do this, see the Sleepmask-VS repo. This repository demonstrates simple examples of BeaconGate so operators can quickly develop a custom Sleepmask BOF for use with BeaconGate.

The table below shows the supported beacon_gate options and their corresponding WinAPIs:

Option	APIs	Notes
None	None	The default option. No APIs are proxied via the Sleepmask.
Comms	InternetOpenA InternetConnectA	This is currently only supported by the HTTP(S) WinInet Beacon.
Core	CloseHandle CreateFileMapping CreateRemoteThread CreateThread DuplicateHandle GetThreadContext MapViewOfFile OpenProcess OpenThread ReadProcessMemory ResumeThread SetThreadContext UnmapViewOfFile VirtualAlloc VirtualAllocEx VirtualFree VirtualProtect VirtualProtectEx VirtualQuery WriteProcessMemory	This is the core Beacon API set.
Cleanup	ExitThread	This is a special case, see the note below*.
All	Comms, Core, and Cleanup APIs

NOTE:

ExitThread is only proxied via BeaconGate when Exit Function is set to Thread and Beacon is not configured to use module stomping (i.e, `module_x*`). Enabling the Cleanup option out the box will result in the default Sleepmask cleaning up Beacon prior to calling ExitThread. If implementing a User Defined Sleepmask you can also perform additional clean up actions pre thread termination if desired.

It is also possible to proxy specific functions from the supported set with the following syntax:

stage {
        beacon_gate {
           VirtualAlloc;
           VirtualAllocEx;
           InternetConnectA;
        }
}

It is also important to point out that BeaconGate and Cobalt Strike's existing syscall_method option are mutually exclusive; if you enable BeaconGate for an API, it will take precedence over system calls. However, you can enable BeaconGate for a specific API and use Beacon's existing system call method for the rest. For example:

stage {
   set syscall_method "Indirect";
   beacon_gate {
      VirtualAlloc;  // Only VirtualAlloc is routed via BeaconGate
   }
}

As a note, some more intensive Beacon commands such as ps may spike CPU if you have the core set enabled. This is expected behaviour, as ps will call OpenProcess/CloseHandle multiple times while masking. If desired, you can disable BeaconGate at runtime via the beacon_gate disable command or alternatively disable masking for specific functions in your own Sleepmask BOF.

Lastly, there are occasions when it is not possible to forward WinAPI calls to BeaconGate. For example, some supported APIs (VirtualAlloc) may be needed to set up BOF memory in order to use BeaconGate in the first place. To get round this limitation you can specify User Defined memory for BOFs/Sleepmask in a UDRL via the ALLOCATED_MEMORY structure. The bud-loader in UDRL-VS contains examples of how to pass user defined memory to Beacon for use with BOFs and the Sleepmask.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.10 | 202407160902 | July 2024