Payload Security Features

Cobalt Strike takes steps to protect Beacons communication and to ensure that a Beacon can only receive tasks from and send output to its team server.

When you setup the Beacon payload for the first time, Cobalt Strike will generate a public/private key pair that is unique to your team server. The team server’s public key is embedded into Beacon’s payload stage. Beacon uses the team server’s public key to encrypt session metadata that it sends to the team server.

Beacon must always send session metadata before the team server can issue tasks and receive output from the Beacon session. This metadata contains a random session key generated by that Beacon. The team server uses each Beacon’s session key to encrypt tasks and to decrypt output.

Each Beacon implementation and data channel uses this same scheme. You have the same security with the A record data channel in the Hybrid HTTP and DNS Beacon as you do with the HTTPS Beacon.

Be aware that the above applies to Beacon once it is staged. The payload stagers, due to their size, do not have built-in security features.

 

Related Topics