What is the Cobalt Strike Beacon? 

Beacon is Cobalt Strike’s signature payload, designed to model the behavior of advanced attackers to perform a number of post-exploitation activities during adversary simulations and red team engagements. To gain a foothold in its target, Beacon can be delivered in a number of ways, including being embedded into an executable, added to a document, or delivered as a client-side exploit. From there, Beacon can be transmitted using different methods of communication to complete tasks.  

How Does Beacon Communicate?

Establishing a Beacon communication channel between the main red team server and the compromised system can be achieved through several means. Beacon can be cloaked using Malleable C2 settings, reducing visibility by looking like legitimate traffic when sending GET and POST commands with HTTP/HTTPS or through DNS Tunneling. Using a parent Beacon to send commands and receive data, linked Beacons can also communicate covertly peer-to-peer via SMB or TCP

The Flexibility of Beacon

Communication with Beacon is built to be adaptable. Users can create and save different Malleable C2 profiles, which are used to change Beacon’s network traffic indicators to disguise Beacon’s communications and help it to blend in on target. For example, communications could be modified to bypass different types of detection scanning

fta-asynchronous-communication

Asynchronous Communication

Commands are put into a queue and are executed when Beacon checks in. The frequency at which Beacon checks in is set via the sleep command. Users can also specify a jitter value to randomly vary the check in times via a certain percentage. Asynchronous communication is low and slow and is ideal for tasks that would benefit from more stealth.

Icon

Interactive Mode

Cobalt Strike users also have the option to put Beacon into interactive mode (via a sleep setting of 0), meaning that it will check in with the team server several times per second (essentially in real time), allowing every command to execute right away. Though this mode of communication is less covert, it is ideal for tasks that require immediate action and control, such as SOCKS proxying.

Extend the Beacon Agent with Beacon Object Files (BOF)

A Beacon Object File (BOF) is a compiled C program, written to a convention that allows it to execute within a Beacon process and use internal Beacon APIs. BOFs are a way to rapidly extend Beacon’s capabilities with new post-exploitation features. This could include new commands, methods for gathering target information, post-exploitations techniques, or process optimizations.  

Though the Cobalt Strike Team does create BOFs, they are an ideal way for the framework to be extended and customized by the user community. The Community Kit serves as a central repository of these user-created extensions, enabling others to benefit from these additional functionalities.  

Using Beacon with Other Tools

Because of its extreme flexibility, Beacon can also work with other cybersecurity testing tools. Beacon is particularly compatible with other Fortra solutions: 

OST

OST is a curated set of offensive tools that were developed with Cobalt Strike in mind. OST’s Payload Generator is ideal for enhancing the evasiveness of Beacon. Additionally, many of these tools integrate directly using BOFs. For example, OST offers multiple BOF capabilities for extending Cobalt Strike, including Kerberos interaction, novel coercion techniques, O365 token extraction, and more. OST and Cobalt Strike can be purchased together for a reduced price as part of the Red Team Bundle.

Core Impact

Core Impact is an automated pen testing tool that has interoperability with Cobalt Strike, allowing Beacon to function in both tools with session passing and tunneling capabilities. Cobalt Strike and Core impact can be purchased together for a reduced price as part of the Advanced Bundle.

Incorporate Beacon into your red team engagements

request a Quote