Beacon is my payload for low and slow control of a compromised system. Recently, I added peer-to-peer communication to Beacon. When two Beacons are linked, the child Beacon will get its tasks from and send its output through its parent. Linked Beacons use SMB pipes to communicate. This is a big win for stealth. If a workstation […]
Cornerstone: BOF
Beacon – An Operator’s Guide
Beacon is a payload in Cobalt Strike that has a lot of communication flexibility. This blog post is not a replacement for the documentation, but rather a guide to how I use it. Reading this post will help you get the most out of Beacon during your operations. Setup To use Beacon, you must first create a […]
Hacking through a Straw (Pivoting over DNS)
Last month, I announced Beacon’s ability to control a host over DNS. I see Beacon as a low and slow lifeline to get an active session, when it’s needed. Sometimes though, Beacon is all you have. There are times when Meterpreter gets caught too quickly or just can’t get past the network egress restrictions. For these […]
That’ll never work–we don’t allow port 53 out
One of my favorite Cobalt Strike features is its ability to quietly manage a compromised system with DNS. Being rather proud of this feature, I talk about it a lot. During some conversations, I’ve heard the response “that’ll never work, we don’t allow port 53 out, unless it’s our internal DNS server”. To which I reply, […]
Read More… from That’ll never work–we don’t allow port 53 out
Keystroke Logging with Beacon
I feel asynchronous low and slow C2 is a missing piece in the penetration tester’s toolkit. Beacon is Cobalt Strike’s answer to this problem. Beacon periodically phones home to check for tasks. It can perform this check using the DNS or HTTP protocols. When tasks are available, it’ll download them as an encrypted blob using an […]
Beacon – A PCI Compliant Payload for Cobalt Strike
TL;DR Beacon is a new Cobalt Strike payload that uses DNS to reduce the need to talk directly to Cobalt Strike. Beacon helps you mimic the low and slow command and control popular with APT and malware. In the interest of helping you verify vulnerabilities for compliance purposes, I’d like to introduce you to Beacon, […]
Read More… from Beacon – A PCI Compliant Payload for Cobalt Strike