Windows Executable (Stageless)

Attacks -> Packages -> Windows Executable (S) generates a Windows executable artifact that contains Cobalt Strike's Beacon (no stagers, hence a stageless payload!). This package gives you several output options:

PowerShell is a PowerShell script that injects a stageless Beacon into memory.

Raw is a blob of position independent code that contains Beacon.

Windows EXE is a Windows executable.

Windows Service EXE is a Windows executable that responds to Service Control Manager commands. You may use this executable to create a Windows service with sc or as a custom executable with the Metasploit® Framework's PsExec modules.

Windows DLL (32-bit) is an x86 Windows DLL.

Windows DLL (64-bit) is an x64 Windows DLL. If Use x64 payload is not checked, the x64 DLL will spawn a 32-bit process and migrate your listener to it.

The x86 and x64 DLL options export a Start function that is compatible with rundll32.exe. Use the architecture-appropriate rundll32.exe to load your DLL from the command line.

rundll32 foo.dll,Start

The Proxy field configures manual proxy settings for Beacon to use. This is optional.

This feature generates x86 artifacts that deliver x86 stages by default (unless otherwise noted). Check the Use x64 payload box to generate an x64 artifact that contains an x64 payload stage.

Check the Sign executable file box to sign an EXE or DLL artifact with a code-signing certificate. You must specify a certificate in a Malleable C2 profile.

Cobalt Strike uses its Artifact Kit to generate this output.