What is the Cobalt Strike Beacon?
Beacon is Cobalt Strike’s signature payload, designed to model the behavior of advanced attackers to perform a number of post-exploitation activities during adversary simulations and red team engagements. To gain a foothold in its target, Beacon can be delivered in a number of ways, including being embedded into an executable, added to a document, or delivered as a client-side exploit. From there, Beacon can be transmitted using different methods of communication to complete tasks.
How Does Beacon Communicate?
Establishing a Beacon communication channel between the main red team server and the compromised system can be achieved through several means. Beacon can be cloaked using Malleable C2 settings, reducing visibility by looking like legitimate traffic when sending GET and POST commands with HTTP/HTTPS or through DNS Tunneling. Using a parent Beacon to send commands and receive data, linked Beacons can also communicate covertly peer-to-peer via SMB or TCP.
The Flexibility of Beacon
Communication with Beacon is built to be adaptable. Users can create and save different Malleable C2 profiles, which are used to change Beacon’s network traffic indicators to disguise Beacon’s communications and help it to blend in on target. For example, communications could be modified to bypass different types of detection scanning.
Asynchronous Communication
Commands are put into a queue and are executed when Beacon checks in. The frequency at which Beacon checks in is set via the sleep command. Users can also specify a jitter value to randomly vary the check in times via a certain percentage. Asynchronous communication is low and slow and is ideal for tasks that would benefit from more stealth.
Interactive Mode
Cobalt Strike users also have the option to put Beacon into interactive mode (via a sleep setting of 0), meaning that it will check in with the team server several times per second (essentially in real time), allowing every command to execute right away. Though this mode of communication is less covert, it is ideal for tasks that require immediate action and control, such as SOCKS proxying.
Extend the Beacon Agent with Beacon Object Files (BOF)
A Beacon Object File (BOF) is a compiled C program, written to a convention that allows it to execute within a Beacon process and use internal Beacon APIs. BOFs are a way to rapidly extend Beacon’s capabilities with new post-exploitation features. This could include new commands, methods for gathering target information, post-exploitations techniques, or process optimizations.
Though the Cobalt Strike Team does create BOFs, they are an ideal way for the framework to be extended and customized by the user community. The Community Kit serves as a central repository of these user-created extensions, enabling others to benefit from these additional functionalities.
Using Beacon with Other Tools
Because of its extreme flexibility, Beacon can also work with other cybersecurity testing tools. Beacon is particularly compatible with other Fortra solutions: