Pivot Listeners

It's good tradecraft to limit the number of direct connections from your target's network to your command and control infrastructure. A pivot listener allows you to create a listener that is bound to a Beacon or SSH session. In this way, you can create new reverse sessions without more direct connections to your command and control infrastructure.

To setup a pivot listener, go to [beacon] -> Pivoting -> Listener. This will open a dialog where you may define a new pivot listener.

Pivot Listener

Pivot Listener

A pivot listener will bind to Listen Port on the specified Session. The Listen Host value configures the address your reverse TCP payload will use to connect to this listener.

Right now, the only payload option is windows/beacon_reverse_tcp. This is a listener without a stager. This means you can’t embed this payload into commands and automation that expect stagers. You do have the option to export a stageless payload artifact and run it to deliver a reverse TCP payload.

Pivot Listeners do not change the pivot host's firewall configuration. If a pivot host has a host-based firewall, this may interfere with your listener. You, the operator, are responsible for anticipating this situation and taking the right steps for it.

To remove a pivot listener, go to Cobalt Strike -> Listeners and remove the listener there. Cobalt Strike will send a task to tear down the listening socket, if the session is still reachable.