New feature “Beacon” added to Cobalt Strike
A big gap in the penetration tester’s toolbox are covert command and control options, especially for long engagements. To remedy this problem, Raphael Mudge developed Beacon.
Beacon is Cobalt Strike’s remote administration payload for long-term engagements. Beacon does not provide real-time control of a compromised host. Beacon is asynchronous. It spends most of its time sleeping. Occasionally, Beacon will contact Cobalt Strike to check for tasks.
Cobalt Strike’s Beacon payload may attempt to communicate through multiple domains. This makes your control of a compromised host more robust. If a system administrator blocks one IP address or domain, Beacon may still receive tasks through its other domains.
When tasks are available, Beacon downloads them and sends output using the HTTP protocol. Beacon may check for tasks through HTTP or DNS requests.