New feature “Beacon” added to Cobalt Strike

New feature “Beacon” added to Cobalt Strike

A big gap in the penetration tester’s toolbox are covert command and control options, especially for long engagements. To remedy this problem, Raphael Mudge developed Beacon.

Beacon is Cobalt Strike’s remote administration payload for long-term engagements. Beacon does not provide real-time control of a compromised host. Beacon is asynchronous. It spends most of its time sleeping. Occasionally, Beacon will contact Cobalt Strike to check for tasks.

Cobalt Strike Beaconing
If a tasking is available, Beacon will download its tasks and execute them. This style of command and control is common with sophisticated malware and Advanced Persistent Threat actors.

Cobalt Strike’s Beacon payload may attempt to communicate through multiple domains. This makes your control of a compromised host more robust. If a system administrator blocks one IP address or domain, Beacon may still receive tasks through its other domains.

When tasks are available, Beacon downloads them and sends output using the HTTP protocol. Beacon may check for tasks through HTTP or DNS requests.



NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"