support

TCP Beacon

windows/beacon_tcp/bind_tcp is Cobalt Strike’s TCP Beacon. The TCP Beacon uses a TCP socket to communicate through a parent Beacon. This peer-to-peer communication works with Beacons on the same host and across the network.

You may use the TCP Beacon as a target listener for most of Beacon's features.

You may also export a stageless TCP Beacon executable or DLL. Go to Attacks -> Packages -> Windows Executable (S) and select your TCP Beacon listener.

Actions that stage the TCP Beacon will automatically connect to it. If you run a stageless TCP Beacon payload, you must connect to the payload to assume control of it.

The TCP Beacon stager will bind to the port specified in the New Listener dialog. The TCP Beacon payload will bind to a separate port, specified as the tcp_port option in your Malleable C2 profile.

Connecting and Unlinking

From the Beacon console, use connect [ip address] to connect the current session to a TCP Beacon that is waiting for a connection. When the current session checks in, its linked peers will check in too.

To destroy a Beacon link use unlink [ip address] in the parent or child. Later, you may reconnect to the TCP Beacon from the same host (or a different host).