HTTP and HTTPS Beacon

The HTTP and HTTPS beacons download tasks with an HTTP GET request. These beacons send data back with an HTTP POST request. This is the default. You have incredible control over the behavior and indicators in this payload via Malleable C2.

To stand up an HTTP or HTTPS Beacon listener, go to Cobalt Strike -> Listeners. Press Add. Choose Beacon HTTP as your payload option.

HTTP Beacon Setup

HTTP Beacon Setup

Press [+] to add one or more hosts for the HTTP Beacon to call home to. Press [-] to remove one or more hosts. Press [X] to clear the current hosts. If you have multiple hosts, you can still paste a comma-separated list of callback hosts into this dialog. That's OK.

The length of the beacon host list in beacon payload is limited to 255 characters. This includes a randomly assigned URI for each host and delimiters between each item in the list. If the length is exceeded, hosts will be dropped from the end of the list until it fits in the space. There will be messages in the team server log for dropped hosts.

The Host Rotation Strategy field configures the beacons behavior for choosing which host(s) from the list to use for egress.

Strategy Description
round-robin Loop through the list of host names in the order they are provided. Each host is used for one connection
random Randomly select a host name from the list each time a connection is attempted.
failover-xx Use a working host as long as possible. Use each host in the list until they reach a consecutive failover count (x) or duration time period (m,h,d), then use the next host.
duration-xx Use each host for a period of time. Use each host in the list for the specified duration (m,h,d), then use the next host.

The HTTP Host (Stager) field controls the host of the HTTP Stager for the HTTP Beacon. This value is only used if you pair this payload with an attack that requires an explicit stager.

The Profile field is where you select a Malleable C2 profile variant. A variant is a way of specifying multiple profile variations in one file. With variants, each HTTP or HTTPS listener you setup can have different network indicators.

The HTTP Port (C2) field sets the port your HTTP Beacon will phone home to. The HTTP Port (Bind) field specifies the port your HTTP Beacon payload web server will bind to. These options are useful if you want to setup port bending redirectors (e.g., a redirector that accepts connections on port 80 or 443 but routes the connection to your team server on another port).

The HTTP Host Header value, if specified, is propagated to your HTTP stagers and through your HTTP communication. This option makes it easier to take advantage of domain fronting with Cobalt Strike.

Press ... next to the HTTP Proxy field to specify an explicit proxy configuration for this payload.

Manual Proxy Settings

The (Manual) Proxy Settings dialog offers several options to control the proxy configuration for Beacon’s HTTP and HTTPS requests. The default behavior of Beacon is to use the Internet Explorer proxy configuration for the current process/user context.

Proxy Configuration

Proxy Configuration

The Type field configures the type of proxy. The Host and Port fields tell Beacon where the proxy lives. The Username and Password fields are optional. These fields specify the credentials Beacon uses to authenticate to the proxy.

Check the Ignore proxy settings; use direct connection box to force Beacon to attempt its HTTP and HTTPS requests without going through a proxy.

Press Set to update the Beacon dialog with the desired proxy settings. Press Reset to set the proxy configuration back to the default behavior.

Note: the manual proxy configuration affects the HTTP and HTTPS Beacon payload stages only. It does not propagate to the payload stagers.