Post Exploitation
Beacon Covert C2 Payload
Beacon is Cobalt Strikes payload to model advanced attackers. Use Beacon to egress a network over HTTP, HTTPS, or DNS. You may also limit which hosts egress a network by controlling peer-to-peer Beacons over Windows named pipes.
Beacon is flexible and supports asynchronous and interactive communication. Asynchronous communication is low and slow. Beacon will phone home, download its tasks, and go to sleep. Interactive communication happens in real-time.
Beacon's network indicators are malleable. Redefine Beacon's communication with Cobalt Strike's malleable C2 language. This allows you to cloak Beacon activity to look like other malware or blend-in as legitimate traffic.
The Beacon Console
Right-click on a Beacon session and select interact to open that Beacon’s console. The console is the main user interface for your Beacon session. The Beacon console allows you to see which tasks were issued to a Beacon and to see when it downloads them. The Beacon console is also where command output and other information will appear.
figure 53 - Cobalt Strike Beacon Console
In between the Beacon console’s input and output is a status bar. This status bar contains information about the current session. In its default configuration, the statusbar shows the target’s NetBIOS name, the username and PID of the current session, and the Beacon’s last check-in time.
Each command that’s issued to a Beacon, whether through the GUI or the console, will show up in this window. If a teammate issues a command, Cobalt Strike will pre-fix the command with their handle.
You will likely spend most of your time with Cobalt Strike in the Beacon console. It’s worth your time to become familiar with its commands. Type help in the Beacon console to see available commands. Type help followed by a command name to get detailed help.
The Beacons Console supports Help Groups in organizing the help command output. Type help help on the console's command line to see help for the help command.
The Console tab on the User Preferences dialog has an option for the default format of the help command and an option to highlight user-defined commands in the help output.
You can define custom Help Groups with the beacon_command_group aggressor function and associate user-defined commands with custom Help Groups using the group id parameter on the beacon_command_register aggressor function.