Post Exploitation

Beacon Covert C2 Payload

Beacon is Cobalt Strikes payload to model advanced attackers. Use Beacon to egress a network over HTTP, HTTPS, or DNS. You may also limit which hosts egress a network by controlling peer-to-peer Beacons over Windows named pipes.

Beacon is flexible and supports asynchronous and interactive communication. Asynchronous communication is low and slow. Beacon will phone home, download its tasks, and go to sleep. Interactive communication happens in real-time.

Beacon's network indicators are malleable. Redefine Beacon's communication with Cobalt Strike's malleable C2 language. This allows you to cloak Beacon activity to look like other malware or blend-in as legitimate traffic.

The Beacon Console

Right-click on a Beacon session and select interact to open that Beacon’s console. The console is the main user interface for your Beacon session. The Beacon console allows you to see which tasks were issued to a Beacon and to see when it downloads them. The Beacon console is also where command output and other information will appear.

figure 53 - Cobalt Strike Beacon Console

In between the Beacon console’s input and output is a status bar. This status bar contains information about the current session. In its default configuration, the statusbar shows the target’s NetBIOS name, the username and PID of the current session, and the Beacon’s last check-in time.

Each command that’s issued to a Beacon, whether through the GUI or the console, will show up in this window. If a teammate issues a command, Cobalt Strike will pre-fix the command with their handle.

You will likely spend most of your time with Cobalt Strike in the Beacon console. It’s worth your time to become familiar with its commands. Type help in the Beacon console to see available commands. Type help followed by a command name to get detailed help.