TCP Beacon (Bind)

The TCP Beacon uses a TCP socket to communicate through a parent Beacon. This peer-to-peer communication works with Beacons on the same host and across the network.

To configure a TCP Beacon payload, go to Cobalt Strike -> Listeners. Press Add. Choose Beacon TCP as your payload option.

TCP Beacon Setup

TCP Beacon Setup

The TCP Beacon configured in this way is a bind payload. A bind payload is one that waits for a connection from its controller (in this case, another Beacon session). The Port (C2) option controls the port the TCP Beacon will wait for connections on. Check Bind to localhost only to have the TCP Beacon bind to 127.0.0.1 when it listens for a connection. This is a good option if you use the TCP Beacon for localhost-only actions.

The TCP Beacon is compatible with most actions in Cobalt Strike that spawn a payload. The exception to this are, similar to the SMB Beacon, the user-driven attacks (e.g., Attacks -> Packages, Attacks -> Web Drive-by) that require explicit stagers.

Cobalt Strike post-exploitation and lateral movement actions that spawn a payload will attempt to assume control of (connect) to the TCP Beacon payload for you. If you run the TCP Beacon manually, you will need to connect to it from a parent Beacon.

Connecting and Unlinking

From the Beacon console, use connect [ip address] [port] to connect the current session to a TCP Beacon that is waiting for a connection. When the current session checks in, its linked peers will check in too.

To destroy a Beacon link use unlink [ip address] [session PID] in the parent or child session console. Later, you may reconnect to the TCP Beacon from the same host (or a different host).