support

HTTP and HTTPS Beacon

windows/beacon_http/reverse_http is Cobalt Strike's HTTP beacon. This beacon will check for tasks and download them with an HTTP GET request. This beacon sends data back with an HTTP POST request. Once you create listener and press Save, Cobalt Strike will ask you to provide a list of domains to beacon to. Create DNS A records that point to your team server’s IP address or its redirectors. If you do not control any domains (shame on you!), provide your team server’s IP address in this box.

HTTP Beacon

HTTP Beacon

windows/beacon_https/reverse_https is Cobalt Strike's HTTPS Beacon. This variant of Beacon will SSL encrypt its communications. You may use a valid SSL certificate with the HTTPS Beacon.

Manual Proxy Settings

The HTTP and HTTPS Beacon use the same proxy settings as Internet Explorer. If Beacon is run from a user context, Beacon’s HTTP and HTTPS communication will automatically authenticate itself to a proxy server. Sometimes, these defaults are not desirable.

It’s possible to export a stageless Beacon artifact with an alternate proxy configuration. Go to Attacks -> Packages -> Windows Executable (S). Press the button next to the Proxy field. This will open a dialog to change the proxy settings for a Beacon artifact.

Manual Proxy Settings

Manual Proxy Settings

The (Manual) Proxy Settings dialog offers several options to change how Beacon makes its HTTP and HTTPS requests. The Type field configures the type of proxy. The Host and Port fields tell Beacon where the proxy lives. The Username and Password fields are optional. These fields specify the credentials Beacon uses to authenticate to the proxy.

Check the Ignore proxy settings; use direct connection box to force Beacon to attempt its HTTP and HTTPS requests without going through a proxy.

Press Set to update the Beacon dialog with the desired proxy settings. Press Reset to set the proxy configuration back to the default behavior.

There is no option to specify manual proxy settings with a Beacon listener itself. This is because the Beacon HTTP and HTTPS stagers do not support these options.