Beacon is Cobalt Strike's payload to model advanced attackers. Use Beacon to egress a network over HTTP, HTTPS, or DNS. You may also limit which hosts egress a network by controlling peer-to-peer Beacons over Windows named pipes.
Beacon is flexible and supports asynchronous and interactive communication. Asynchronous communication is low and slow. Beacon will phone home, download its tasks, and go to sleep. Interactive communication happens in real-time.
Beacon's network indicators are malleable. Redefine Beacon's communication with Cobalt Strike's malleable C2 language. This allows you to cloak Beacon activity to look like other malware or blend-in as legitimate traffic.
The Beacon Console
Right-click on a Beacon session and select interact to open that Beacon's console. The console is the main user interface for your Beacon session. The Beacon console allows you to see which tasks were issued to a Beacon and to see when it downloads them. The Beacon console is also where command output and other information will appear.
In between the Beacon console's input and output is a status bar. This status bar contains information about the current session. In its default configuration, the statusbar shows the target's NetBIOS name, the username and PID of the current session, and the Beacon’s last check-in time.
Each command that's issued to a Beacon, whether through the GUI or the console, will show up in this window. If a teammate issues a command, Cobalt Strike will pre-fix the command with their handle.
You will likely spend most of your time with Cobalt Strike in the Beacon console. It’s worth your time to become familiar with its commands. Type help in the Beacon console to see available commands. Type help followed by a command name to get detailed help.
The Beacon Menu
Right-click on a Beacon or inside of a Beacon's console to access the Beacon menu. This is the same menu used to open the Beacon console. The Access menu contains options to manipulate trust material and elevate your access. The Explore menu consists of options to extract information and interact with the target’s system. The Pivoting menu is where you can setup tools to tunnel traffic through a Beacon. The Session menu is where you manage the current Beacon session.
Some of Cobalt Strike's visualizations (the pivot graph and sessions table) let you select multiple Beacons at one time. Most actions that happen through this menu will apply to all selected Beacon sessions.
Asynchronous and Interactive Operations
Be aware that Beacon is an asynchronous payload. Commands do not execute right away. Each command goes into a queue. When the Beacon checks in (connects to you), it will download these commands and execute them one by one. At this time, Beacon will also report any output it has for you. If you make a mistake, use the clear command to clear the command queue for the current Beacon.
By default, Beacons check in every sixty seconds. You may change this with Beacons sleep command. Use sleep followed by a time in seconds to specify how often Beacon should check in. You may also specify a second number between 0 and 99. This number is a jitter factor. Beacon will vary each of its check in times by the random percentage you specify as a jitter factor. For example, sleep 300 20, will force Beacon to sleep for 300 seconds with a 20% jitter percentage. This means, Beacon will sleep for a random value between 240s to 300s after each check-in.
To make a Beacon check in multiple times each second, try sleep 0. This is interactive mode. In this mode commands will execute right away. You must make your Beacon interactive before you tunnel traffic through it. A few Beacon commands (e.g., browserpivot, desktop, etc.) will automatically put Beacon into interactive mode at the next check in.
Beacon's shell command will task a Beacon to execute a command via cmd.exe on the compromised host. When the command completes, Beacon will present the output to you. Use the execute command to execute a command without cmd.exe and without posting output to you.
Use the powershell command to execute a command with PowerShell on the compromised host. Use the powerpick command to execute PowerShell cmdlets without powershell.exe. This command relies on the Unmanaged PowerShell technique developed by Lee Christensen. The powershell command will use your current token. The powerpick command does not inherit your current token. The psinject command will inject Unmanaged PowerShell into a specific process and run your cmdlet from that location.
The powershell-import command will import a PowerShell script into Beacon. Future uses of the powershell, powerpick, and psinject commands will have cmdlets from the imported script available to them. Beacon will only hold one PowerShell script at a time.
If you want Beacon to execute commands from a specific directory, use the cd command in the Beacon console to switch the working directory of the Beacon’s process. The pwd command will tell you which directory you’re currently working from.
Use the spawn command to spawn a session for a listener. The spawn command accepts an architecture (e.g., x86, x64) and a listener as its arguments.
By default, the spawn command will spawn a session in rundll32.exe. An alert administrator may find it strange that rundll32.exe is periodically making connections to the internet. Find a better program (e.g., Internet Explorer) and use the spawnto command to state which program Beacon should spawn sessions into.
The spawnto command requires you to specify an architecture and a full path to a program to spawn, as needed. Type spawnto by itself and press enter to instruct Beacon to go back to its default behavior.
Type inject followed by a process id and a listener name to inject a session into a specific process. Use ps to get a list of processes on the current system. Use inject [pid] x64 to inject a 64-bit Beacon into an x64 process.
The inject and spawn commands both inject a stager for the desired listener into memory. This stager tries to connect back to you to stage the requested payload into memory. If the stager can not get past any egress restrictions or blocks that are in place, you will not get a session.
Use dllinject [pid] to inject a Reflective DLL into a process. Use the shinject [pid] [architecture] [/path/to/file.bin] command to inject shellcode, from a local file, into a process on target.
Upload and Download Files
The download command will download the requested file. You do not need to provide quotes around a filename with spaces in it. Beacon is built for low and slow exfiltration of data. During each check-in, Beacon will download a fixed chunk of each file its tasked to get. The size of this chunk depends on Beacon’s current data channel. The HTTP and HTTPS channels pull data in 512KB chunks.
Type downloads to see a list of file downloads in progress for the current Beacon. Use the cancel command, followed by a filename, to cancel a download that’s in progress. You may use wildcards with your cancel command to cancel multiple file downloads at once.
Go to View -> Downloads in Cobalt Strike to see the files that your team has downloaded so far. Only completed downloads will show up in this tab. Downloaded files are stored on the team server. To bring files back to your system, highlight them here, and press Sync Files. Cobalt Strike will then download the selected files to a folder of your choosing on your system.
The upload command will upload a file to the host.
When you upload a file, you will sometimes want to update its timestamps to make it blend in with other files in the same folder. Use the timestomp command to do this. The timestomp command will match the Modified, Accessed, and Created times of one file to another file.
File System Commands
Use the ls command to list files in the current directory. Use mkdir to make a directory. rm will remove a file or folder. cp copies a file to a destination. mv moves a file.
Keystrokes and Screenshots
Beacon's tools to log keystrokes and take screenshots are designed to inject into another process and report their results to your Beacon.
To start the keystroke logger, use keylogger pid to inject into an x86 process. Use keylogger pid x64 to inject into an x64 process. explorer.exe is a good candidate for this tool. The keystroke logger will monitor keystrokes from the injected process and report them to Beacon until the process terminates or you kill the keystroke logger post-exploitation job.
Be aware that multiple keystroke loggers may conflict with each other. Use only one keystroke logger per desktop session.
To take a screenshot, use screenshot pid to inject the screenshot tool into an x86 process. Use screenshot pid x64 to inject into an x64 process. Again, explorer.exe is a good candidate for this tool. This variant of the screenshot command will take one screenshot and exit. You may use screenshot pid architecture time to ask the screenshot tool to run for some number of seconds and report a screenshot each time Beacon checks in. This is a handy way to watch a user’s desktop.
When Beacon receives new screenshots or keystrokes, it will post a message to the Beacon console. The screenshot and keystroke information is not available through the Beacon console though. Go to View -> Keystrokes to see logged keystrokes across all of your Beacon sessions. Go to View -> Screenshots to browse through screenshots from all of your Beacon sessions. Both of these dialogs update as new information comes in. These dialogs make it easy for one operator to monitor keystrokes and screenshots on all of your Beacon sessions.
Manage Post-Exploitation Jobs
Beacon treats each shell, powershell, and keystroke logger instance as a job. These jobs run in the background and report their output when it's available. Use the jobs command to see which jobs are running in your Beacon. Use jobkill to kill a job.
Use socks 8080 to setup a SOCKS4a proxy server on port 8080 (or any other port you choose). This will setup a SOCKS proxy server to tunnel traffic through Beacon. Beacon's sleep time adds latency to any traffic you tunnel through it. Use sleep 0 to make Beacon check-in several times a second.
Beacon's HTTP data channel is the most responsive for pivoting purposes. If you'd like to pivot traffic over DNS, use the DNS TXTrecord communication mode.
You may use proxychains to tunnel external tools through Beacon.
Use socks stop to disable the SOCKS proxy server.
Use the rportfwd command to setup a reverse pivot through Beacon. The rportfwd command will bind a port on the compromised target. Any connections to this port will cause your Cobalt Strike server to initiate a connection to another host and port and relay traffic between these two connections. Cobalt Strike tunnels this traffic through Beacon. The syntax for rportfwd is: rportfwd [bind port] [forward host] [forward port].
Use rportfwd stop [bind port] to disable the reverse port forward.
Some post-exploitation commands require system administrator-level rights. Beacon includes several options to help you elevate your access. Many of Beacon’s privilege escalation options accept a listener as a parameter. This is an ideal situation to use the SMB Beacon. The SMB Beacon uses a named pipe to send its output and get its tasks through another Beacon. The SMB Beacon paired with a privilege escalation attack saves you the trouble of figuring out how to get your elevate access to egress.
Elevate with an Exploit
Type elevate to list privilege escalation exploits registered with Cobalt Strike. Run elevate [exploit name] [listener] to attempt to elevate with a specific exploit.
To start your privilege escalation exploit collection, download the Elevate Kit. The Elevate Kit is an Aggressor Script that integrates several open source privilege escalation exploits into Cobalt Strike. https://github.com/rsmudge/ElevateKit
Elevate with Known Credentials
Use runas [DOMAIN\user] [password] [command] to run a command as another user using their credentials. The runas command will not return any output. You may use runas from a non-privileged context though.
Use spawnas [DOMAIN\user] [password] [listener] to spawn a session as another user using their credentials. This command uses PowerShell to bootstrap a payload in memory.
Use getsystem to impersonate a token for the SYSTEM account. This level of access may allow you to perform privileged actions that are not possible as an Administrator user.
Microsoft introduced User Account Control (UAC) in Windows Vista and refined it in Windows 7. UAC works a lot like sudo in UNIX. Day-to-day a user works with normal privileges. When the user needs to perform a privileged action--the system asks if they would like to elevate their rights.
Use bypassuac [listener] to spawn a session in a process with elevated rights. This privilege escalation technique takes advantage of a loophole in the UAC default settings on Windows 7 and later. This command will not work if the current user is not in the Administrators group or if UAC is set to its highest setting. To check if the current user is in the Administrators group, use shell whoami /groups.
Beacon's UAC bypass will drop a DLL file to disk and remove the DLL when it's done. Beacon uses Cobalt Strike's Artifact Kit to generate an anti-virus safe DLL.
Beacon integrates mimikatz. Use the mimikatz command to pass any command to mimikatz's command dispatcher. For example, mimikatz standard::coffee will give you a cup of coffee. Beacon will take care to inject a mimikatz instance that matches the native architecture of your target.
Some mimikatz commands must run as SYSTEM to work. Prefix a command with a ! to force mimikatz to elevate to SYSTEM before it runs your command. For example, mimikatz !lsa::cache will recover salted password hashes cached by the system.
Once in awhile, you may need to run a mimikatz command with Beacon's current access token. Prefix a command with a @ to force mimikatz to impersonate Beacon's current access token. For example, mimikatz @lsadump::dcsync will run the dcsync command in mimikatz with Beacon’s current access token.
Credential and Hash Harvesting
To dump hashes, go to [beacon] -> Access -> Dump Hashes. You may also use the hashdump command from the Beacon console. These commands will spawn a job that injects into LSASS and dumps the password hashes for local users on the current system.
The logonpasswords command will use mimikatz to recover plaintext passwords and hashes for users who are logged on to the current system. The logonpasswords command is the same as [beacon] -> Access -> Run Mimikatz.
Use dcsync [DOMAIN.FQDN] [DOMAIN\user] to pull a password hash for a user from the domain controller. This technique uses Windows APIs built to sync information between domain controllers. It requires a domain administrator trust relationship. Beacon uses mimikatz to execute this technique.
Credentials dumped with these commands are collected by Cobalt Strike and stored in the credentials data model. Go to View -> Credentials to pull up the credentials on the current team server.
Beacon has a built in port scanner. Use portscan [targets] [ports] [discovery method] to start the port scanner job. You may specify a comma-separated list of target ranges. The same goes for ports as well. For example, portscan 172.16.48.0/24 1-1024,8080 will scan hosts 172.16.48.0 through 172.16.48.255 on ports 1 to 1024 and 8080.
There are three target discovery options. The arp method uses an ARP request to discover if a host is alive or not. The icmp method sends an ICMP echo request to check if a target is alive. The none option tells the portscan tool to assume that all hosts are alive.
The port scanner will run, in between Beacon check ins. When it has results to report, it will send them to the Beacon console. Cobalt Strike will process this information and update the targets model with the discovered hosts.
Network and Host Enumeration
Beacon's net module provides tools to interrogate and discover targets in a Windows active directory network. Use the net dclist command to find the domain controller for the domain the target is joined to. Use the net view command to find targets on the domain the target is joined to. Both of these commands populate the targets model as well. The net computers command finds targets by querying computer account groups on a Domain Controller.
Beacon's net module contains commands built on top of the Windows Network Enumeration APIs. These commands are direct replacements for many of the built-in net commands in Windows. There are also a few unique capabilities here as well. For example, use net localgroup \\TARGET to list the groups on another system. Use net localgroup \\TARGET group name to list the members of a group on another system. These commands are great during lateral movement when you have to find who is a local admin on another system.
Use help net to get a list of all the commands in Beacon's net module. Use help net command to get help for each individual command.
When a user logs onto a Windows host, an access token is generated. This token contains information about the user and their rights. The access token also holds information needed to authenticate the user to another system on the same Active Directory domain. You may steal a token from another process and apply it to your Beacon. When you do this, you may interact with other systems on the domain as that user.
Use steal_token [process id] to impersonate a token from an existing process. If you'd like to see which processes are running use ps. The getuid command will print your current token. Use rev2self to revert back to your original token.
If you know credentials for a user; use make_token [DOMAIN\user] [password] to generate a token that passes these credentials. This token is a copy of your current token with modified single sign-on information. It will show your current username. This is expected behavior.
Use mimikatz to pass-the-hash with Beacon. The Beacon command mimikatz sekurlsa::pth /user:[user] /domain:[DOMAIN] /ntlm:[hash] /run:"powershell -w hidden" will create a process with a token setup to use the single sign-on information you provide. Use steal_token to take the token from this new process and you will inherit its single sign-on information.
Use kerberos_ticket_use [/path/to/ticket] to inject a Kerberos ticket into the current session. This will allow Beacon to interact with remote systems using the rights in this ticket. Try this with a Golden Ticket generated by mimikatz 2.0.
Use kerberos_ticket_purge to clear any kerberos tickets associated with your session.
Once you have a token for a domain admin or a domain user who is a local admin on a target, you may abuse this trust relationship to get control of the target. Cobalt Strike's Beacon has several built-in options for lateral movement.
Use Beacon's psexec [target] [share] [listener] to execute a payload on a remote host. This command will generate a Windows Service executable for your listener, copy it to the share you specify, create a service, start the service, and clean up after itself. Default shares include ADMIN$ and C$.
Use psexec_psh [target] [listener] to execute a payload on a remot host with PowerShell. This command will create a service to run a PowerShell one-liner, start it, and clean up after itself. This method of lateral movement is useful if you do not want to touch disk.
Beacon's winrm [target] [listener] command will use WinRM to execute a payload on a remote host. This option requires that WinRM is enabled on the target system. It's off by default. This option uses PowerShell to bootstrap your payload on target.
Finally, use wmi [target] [listener] to deliver a payload via Windows Management Instrumentation. This command uses PowerShell to bootstrap your payload on target.
Beacon has a few other commands not covered above.
The clear command will clear Beacon's task list. Use this if you make a mistake.
Type exit to ask Beacon to exit.
Use kill [pid] to terminate a process.
Use timestomp to match the Modified, Accessed, and Created times of one file to those of another file.