What is the Cobalt Strike Beacon?
Beacon is Cobalt Strike’s signature payload, designed to model the behavior of advanced attackers to perform a number of post-exploitation activities during adversary simulations and red team engagements. To gain a foothold in its target, Beacon can be delivered in a number of ways, including being embedded into an executable, added to a document, or delivered as a client-side exploit. From there, Beacon can be transmitted using different methods of communication to complete tasks.
How Does Beacon Communicate?
Establishing a Beacon communication channel between the main red team server and the compromised system can be achieved through several means. Beacon can be cloaked using Malleable C2 settings, reducing visibility by looking like legitimate traffic when sending GET and POST commands with HTTP/HTTPS or through DNS Tunneling. Using a parent Beacon to send commands and receive data, linked Beacons can also communicate covertly peer-to-peer via SMB or TCP.
The Flexibility of Beacon
Communication with Beacon is built to be adaptable. Users can create and save different Malleable C2 profiles, which are used to change Beacon’s network traffic indicators to disguise Beacon’s communications and help it to blend in on target. For example, communications could be modified to bypass different types of detection scanning.
Commands are put into a queue and are executed when Beacon checks in. The frequency at which Beacon checks in is set via the sleep command. Users can also specify a jitter value to randomly vary the check in times via a certain percentage. Asynchronous communication is low and slow and is ideal for tasks that would benefit from more stealth.