I feel asynchronous low and slow C2 is a missing piece in the penetration tester’s toolkit. Beacon is Cobalt Strike’s answer to this problem. Beacon periodically phones home to check for tasks.  It can perform this check using the DNS or HTTP protocols. When tasks are available, it’ll download them as an encrypted blob using an HTTP request. One nicety, Beacon can communicate with multiple domains–making it resilient to blocking. I announced Beacon in September.

The first release of Beacon served as a light-weight remote administration tool. Something you could use to spawn a session or execute commands on a compromised system. Now, Beacon is turning into a tool for silently collecting information on your behalf.

Today’s Cobalt Strike update adds a keystroke logger to Beacon. The longer you log keystrokes, the better your chances of getting actionable information from the activity. With Beacon, you do not have to be connected to the target to observe their keystrokes. Beacon will try to communicate with you on its schedule and when its able to receive your command, it will post the keystrokes to you as an encrypted blob.

The keystroke logger keeps track of keystrokes and associates them with the active window at the time. This makes the information more useful than a stream of characters without context.

Use keylogger start to start the keystroke logger. To request a dump of keystrokes, use the keylogger command by itself. keylogger stop will stop the keylogger.

keylogging with Beacon

For the keystroke logger to work, Beacon must live inside of a process associated with the current desktop. explorer.exe is a good candidate. To see a list of processes, use shell tasklist. To inject Beacon into a specific process, this release adds an inject command to inject a predefined listener into a process.

To improve Beacon’s survival, Beacon now spawns a new process to inject shellcode into by default. If the injected shellcode crashes its parent process, it will not take Beacon with it.

Pretty cool, eh?

Cobalt Strike’s 12.12.12 update includes several other improvements too. The System Profiler now better detects local IP addresses. Windows 8 systems have their own icon now. And there are several bug fixes too. See the release notes for more information.

Licensed Cobalt Strike users may run the update program to get the latest. If you’re interested in getting a quote, start the process by filling out the form.