This chapter covers Cobalt Strike Beacon concepts, a critical topic for the CompTIA PenTest+ PT0-002 exam. Understanding how Beacons communicate, their configuration options, and their role in post-exploitation is essential for both offensive and defensive security professionals. Exam questions on this topic typically appear in the Tools and Scripts domain (Objective 5.1) and may account for 5-10% of the exam. You will be tested on Beacon communication methods, Malleable C2 profiles, staging vs. stageless payloads, and common detection evasion techniques.
Jump to a section
Imagine a spy inserted into a foreign facility. The spy has a radio that can send and receive messages, but the facility's security monitors all outgoing radio signals. To avoid detection, the spy's radio operates in a beacon mode: it periodically transmits a short, innocuous-looking signal (like a weather report) to an external station. The external station listens for these signals and, when it needs to send commands, it embeds them in the next scheduled transmission back to the spy. The spy's radio never initiates a two-way conversation; it only sends brief, scheduled bursts that blend in with normal traffic. The external station can also instruct the spy to change frequencies, modify the schedule, or switch to a different mode (like using a hidden transmitter for faster data exfiltration). This is exactly how Cobalt Strike Beacon works: it is a stealthy agent that communicates with a command-and-control (C2) server using configurable communication patterns (HTTP, HTTPS, DNS, SMB) that mimic legitimate traffic. The Beacon checks in at intervals, receives tasks, executes them, and reports back—all while avoiding persistent connections that would be flagged by network monitors. The operator can dynamically change the Beacon's behavior via post-exploitation modules, making it a versatile tool for maintaining access and pivoting through a network.
What is Cobalt Strike Beacon?
Cobalt Strike is a commercial penetration testing tool that simulates advanced persistent threats (APTs). Its core agent is called a Beacon. A Beacon is a payload that runs on a compromised host and provides command and control (C2) capabilities. Unlike a simple reverse shell, Beacons are designed for stealth, flexibility, and resilience. They communicate with a C2 server using configurable profiles that mimic legitimate traffic (e.g., HTTP, HTTPS, DNS, SMB). Beacons can operate in asynchronous mode (poll-based) or synchronous mode (interactive), but the default and most common mode is asynchronous to avoid detection.
Beacon Communication Modes
Beacons support several communication protocols:
HTTP/HTTPS: The Beacon sends HTTP requests (GET/POST) to the C2 server. The server responds with commands embedded in HTTP responses (e.g., in cookies, headers, or body). HTTPS adds TLS encryption, but the certificate can be custom or default (often flagged by defenders).
DNS: The Beacon encodes data in DNS queries (e.g., TXT records, A queries). This is extremely stealthy because DNS is often allowed through firewalls. However, it is slower and has data size limitations (typically 255 bytes per query).
SMB: The Beacon communicates over SMB named pipes (e.g., \\pipe\msagent). This is used for peer-to-peer communication within a network, often for lateral movement. It does not traverse the internet.
TCP: Direct TCP sockets, less common because they create persistent connections that are easier to detect.
Beacon Staging vs. Stageless
Cobalt Strike offers two types of Beacon payloads:
Staged (Stager): A small initial payload (the stager) downloads the full Beacon payload from the C2 server. The stager is typically small (a few hundred bytes) and is injected into memory. This reduces the initial footprint but creates network traffic that can be detected (e.g., HTTP GET for the second stage).
Stageless: The entire Beacon is embedded in the initial payload. No additional download occurs. This is stealthier because there is no second-stage request, but the payload is larger (tens of kilobytes). Stageless payloads are preferred for evading network-based detection.
Malleable C2 Profiles
Malleable C2 profiles are configuration files that define how the Beacon communicates. They control:
HTTP headers: Custom headers, User-Agent strings, and cookies.
URI paths: The specific paths used in HTTP requests (e.g., /images/logo.png).
Jitter: Random delay added to the sleep interval (e.g., sleep 60s with jitter 20% means actual sleep is 60s ± 12s).
Data transformation: How data is encoded (e.g., base64, XOR, custom transforms).
DNS settings: DNS sleep, DNS jitter, and beacon type (A, AAAA, TXT).
Example Malleable C2 profile snippet:
http-get {
set uri "/images/logo.png";
client {
header "Accept" "image/png";
metadata {
base64url;
prepend "session=";
header "Cookie";
}
}
server {
header "Content-Type" "image/png";
output {
base64;
print;
}
}
}This profile configures the Beacon to make GET requests to /images/logo.png, include a base64url-encoded session ID in a Cookie header, and expect a base64-encoded response with Content-Type image/png.
Beacon Sleep and Jitter
The Beacon's sleep interval determines how often it checks in with the C2 server. Default is 60 seconds. Jitter is a percentage that randomizes the sleep interval to avoid predictable patterns. For example, sleep 60s with jitter 30% means the actual check-in time is between 42s and 78s (60 ± 18s). This makes traffic analysis harder.
Beacon Commands and Tasks
Once a Beacon is active, operators interact with it via the Cobalt Strike client. Common commands include:
shell: Execute a command on the victim system (e.g., shell whoami).
run: Execute a command and capture output (similar to shell but uses CreateProcess).
powershell: Execute PowerShell commands (can be used for in-memory execution).
upload/download: Transfer files.
keylogger: Capture keystrokes.
screenshot: Capture the screen.
hashdump: Dump password hashes from the SAM database.
mimikatz: Run Mimikatz commands for credential theft.
pth: Pass-the-hash for lateral movement.
jump: Use PsExec or WinRM to move laterally.
sleep: Change the sleep interval and jitter.
exit: Terminate the Beacon.
Beacon Persistence and Privilege Escalation
Beacons can be configured to persist via various mechanisms:
Registry run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks: Using schtasks.
Service installation: As a Windows service.
Startup folder: Placing a shortcut in the Start Menu.
Privilege escalation can be achieved using built-in exploits (e.g., MS16-032, MS17-010) or by leveraging tools like PowerUp.
Beacon Detection and Evasion
Defenders detect Beacons by:
Network traffic analysis: Unusual HTTP headers, periodic check-ins, and suspicious URI paths.
Process injection: Beacons often inject into legitimate processes (e.g., explorer.exe, svchost.exe).
Memory artifacts: Beacon code resides in memory and can be dumped.
YARA rules: Signatures for known Beacon strings.
Evasion techniques include:
Custom Malleable C2 profiles: Mimic legitimate software (e.g., Google Analytics, Microsoft Update).
Sleep masking: Beacon encrypts its memory while sleeping, making memory dumps less useful.
Reflective DLL loading: Load the Beacon without touching disk.
Parent PID spoofing: Spoof the parent process to blend in.
Beacon Communication Flow
The victim executes the Beacon payload (stager or stageless).
The Beacon resolves the C2 domain (e.g., c2.malicious.com) via DNS.
The Beacon sends an HTTP GET request to the C2 server (e.g., /images/logo.png) with a unique session ID in a cookie.
The C2 server responds with tasks (e.g., run a command) encoded in the HTTP response.
The Beacon executes the task and sends the output in the next check-in (HTTP POST).
The C2 server retrieves the output and displays it to the operator.
Key Values and Defaults
Default sleep: 60 seconds.
Default jitter: 0% (but commonly set to 20-30%).
Default HTTP user-agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0).
Default DNS beacon type: A record.
Stager size: ~4096 bytes (but can be smaller with custom stages).
Stageless payload size: ~20-50 KB depending on configuration.
Configuration Commands
In the Cobalt Strike client, operators can configure Beacons via:
sleep <seconds> <jitter>: e.g., sleep 120 20 sets sleep to 120s with 20% jitter.
mode <http|dns|smb>: Switch communication mode.
spawnto <x86|x64> <path>: Set the process to spawn for post-exploitation jobs (e.g., spawnto x64 C:\Windows\System32\rundll32.exe).
Interaction with Related Technologies
PowerShell: Beacons can execute PowerShell scripts in memory using the powershell command, often via the -enc parameter for base64-encoded commands.
Mimikatz: Integrated for credential dumping.
PsExec: Used for lateral movement via the jump psexec command.
WinRM: Alternative lateral movement method.
Metasploit: Cobalt Strike can import Metasploit payloads and can be used in conjunction with Metasploit for exploitation.
Deploy Beacon on Victim
The operator generates a Beacon payload (staged or stageless) using the Cobalt Strike client. The payload is delivered to the victim via phishing, drive-by download, or exploitation. Upon execution, the Beacon runs in memory (if stageless) or downloads the full Beacon from the C2 server (if staged). The initial execution often involves process injection to evade detection. The Beacon then establishes a unique session ID and begins its check-in cycle.
Beacon Resolves C2 Domain
The Beacon performs a DNS resolution for the C2 domain (e.g., c2.malicious.com). This query is typically a standard A record lookup. The DNS request may be sent to the local DNS server, which forwards it to the authoritative nameserver controlled by the attacker. The response contains the IP address of the C2 server. This step is critical because DNS traffic is often allowed through firewalls and is rarely inspected deeply.
Beacon Sends Check-in Request
The Beacon sends an HTTP GET request to the C2 server using the configured URI (e.g., /images/logo.png). The request includes custom headers (User-Agent, Cookie, etc.) as defined in the Malleable C2 profile. The request body may contain encoded metadata (e.g., session ID, computer name). The Beacon does not expect a response with commands yet; this is just a heartbeat to indicate the Beacon is alive.
C2 Server Responds with Tasks
If the operator has queued tasks for the Beacon, the C2 server includes them in the HTTP response. The tasks are encoded (e.g., base64, XOR) and placed in the response body, headers, or cookies. The Beacon decodes the tasks and executes them locally. If no tasks are pending, the response is a benign-looking page (e.g., a 404 or a valid image) to maintain stealth.
Beacon Executes Tasks
The Beacon executes the received commands using Windows API calls (e.g., CreateProcess for shell commands, or direct API calls for keylogging). Output is captured and stored in memory. The Beacon then waits for the next check-in interval before sending the results. During this time, the Beacon may sleep and encrypt its memory to avoid detection by memory scanners.
Beacon Sends Task Output
At the next scheduled check-in, the Beacon sends an HTTP POST request to the C2 server with the output of the executed tasks. The output is encoded and placed in the request body or headers. The C2 server decodes the output and displays it to the operator in the Cobalt Strike client. The operator can then issue new commands based on the results.
Operator Issues New Commands
The operator uses the Cobalt Strike client to interact with the Beacon. They can type commands like `shell whoami` or `upload exploit.exe`. These commands are queued on the C2 server and will be sent to the Beacon on its next check-in. The operator can also change Beacon settings (sleep, jitter, mode) dynamically. This asynchronous interaction allows the operator to control multiple Beacons simultaneously without maintaining persistent connections.
Enterprise Red Team Engagement
A red team is hired to test a large financial institution's defenses. The team uses Cobalt Strike with a custom Malleable C2 profile that mimics the institution's internal application traffic (e.g., requests to /api/status with specific headers). They deploy stageless Beacons via a phishing campaign. The Beacons use HTTPS with a valid certificate from a trusted CA (purchased for the engagement). The sleep interval is set to 120 seconds with 25% jitter to avoid pattern detection. The team uses DNS beacons as a fallback if HTTP is blocked. During the engagement, they pivot through multiple systems using SMB beacons for lateral movement. The key challenge is to avoid triggering the SOC's alerts. They use sleep masking and process injection to evade memory scanners. The engagement reveals that the institution's network monitoring tools flag anomalous user agents but miss custom headers, highlighting the importance of Malleable C2 profiles.
Penetration Test of a Healthcare Organization
A penetration tester is assessing a healthcare provider's network. The tester uses Cobalt Strike to simulate an APT. The Beacon is configured to use DNS over HTTPS (DoH) to bypass DNS monitoring. The tester uses a stageless payload to avoid the second-stage download. The Beacon's C2 domain is a subdomain of a legitimate service (e.g., updates.healthcare-org.com) that resolves to the tester's server. The tester uses the spawnto command to inject into a trusted process (e.g., svchost.exe). During the test, the tester dumps hashes using Mimikatz and uses pass-the-hash to move to a domain controller. The Beacon's sleep is set to 5 minutes to minimize traffic. The tester encounters issues with the organization's application whitelisting, which blocks unknown executables. To bypass this, the tester uses PowerShell-based payloads that execute in memory. The test successfully demonstrates that the organization's endpoint protection does not detect in-memory threats.
Misconfiguration Consequences
A common mistake is using default Malleable C2 profiles, which are well-known to defenders. For example, the default HTTP profile uses a User-Agent of 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)' which is outdated and easily flagged. Another issue is setting jitter to 0%, creating a predictable check-in pattern that can be detected by time-based analysis. Additionally, using self-signed certificates for HTTPS triggers warnings in modern browsers and can be flagged by network monitors. Operators must also be careful with DNS beacon sizes; if the encoded data exceeds 255 bytes, it must be split across multiple queries, which can appear anomalous. Finally, failing to use sleep masking leaves the Beacon's memory readable, allowing defenders to dump and analyze the payload.
What PT0-002 Tests on This Topic
The exam focuses on Objective 5.1: 'Given a scenario, use the appropriate tool or script to perform a penetration test.' Specifically, you need to understand:
The difference between staged and stageless payloads and when to use each.
How Malleable C2 profiles affect detection and evasion.
The purpose of sleep and jitter in Beacon communications.
Common Beacon commands for post-exploitation (shell, powershell, mimikatz, hashdump).
Detection mechanisms (network signatures, memory artifacts) and evasion techniques (sleep masking, process injection).
Common Wrong Answers and Why Candidates Choose Them
1. 'Staged payloads are stealthier than stageless because they are smaller.' - *Why wrong*: While staged payloads are smaller, the second-stage download creates network traffic that can be detected. Stageless payloads avoid this network trace and are generally stealthier.
2. 'Jitter increases the check-in frequency.' - *Why wrong*: Jitter randomizes the interval; it does not increase frequency. The average check-in time remains the same as the sleep value.
3. 'DNS beacons use TCP for data transfer.' - *Why wrong*: DNS beacons primarily use UDP. While TCP can be used for zone transfers, standard DNS queries are UDP.
4. 'The default User-Agent in Cobalt Strike is a modern browser string.' - *Why wrong*: The default is an old IE 10 User-Agent, which is easily detected.
Specific Numbers and Values on the Exam
Default sleep: 60 seconds.
Maximum DNS data per query: 255 bytes.
Jitter is a percentage (e.g., 20% means ±20% of sleep).
Stager size: approximately 4 KB.
Common ports: 80 (HTTP), 443 (HTTPS), 53 (DNS), 445 (SMB).
Edge Cases and Exceptions
Sleep masking: The exam may ask what happens to the Beacon's memory while sleeping. Answer: It is encrypted (XOR or AES) to prevent dumping.
Parent PID spoofing: This technique makes the Beacon appear as a child of a legitimate process (e.g., explorer.exe) to evade process tree analysis.
Beacon in 'interactive' mode: This creates a persistent connection and is less stealthy; the exam may contrast it with asynchronous mode.
How to Eliminate Wrong Answers
If a question asks about stealth, look for options that reduce network traces (stageless, custom profiles, jitter).
If a question asks about speed, consider that synchronous modes are faster but more detectable.
If a question asks about detection, think about what defenders monitor: network patterns, memory, processes.
Eliminate answers that suggest using default settings for evasion—they are always wrong.
Beacons communicate asynchronously via HTTP/HTTPS, DNS, or SMB, with configurable sleep intervals and jitter to evade detection.
Malleable C2 profiles define custom HTTP headers, URI paths, and data encoding to mimic legitimate traffic.
Stageless payloads are stealthier than staged payloads because they avoid a second-stage download.
Default sleep is 60 seconds; jitter is a percentage that randomizes the interval (e.g., 20% jitter on 60s sleep results in 48-72s).
DNS beacons use UDP and are limited to 255 bytes per query; they are stealthy but slow.
SMB beacons are used for peer-to-peer communication within a local network, not over the internet.
Sleep masking encrypts the Beacon's memory while sleeping to prevent memory dumping.
Common post-exploitation commands include shell, powershell, mimikatz, hashdump, and jump for lateral movement.
Detection evasion techniques include custom profiles, process injection, parent PID spoofing, and using valid TLS certificates.
The exam tests the difference between staged and stageless, the role of jitter, and the purpose of Malleable C2 profiles.
These come up on the exam all the time. Here's how to tell them apart.
Staged Beacon
Initial payload is small (~4 KB).
Requires a second-stage download from the C2 server.
Second-stage download creates network traffic that can be detected.
More prone to detection by network monitoring.
Commonly used when payload size is a constraint (e.g., in limited shellcode injection).
Stageless Beacon
Initial payload is larger (~20-50 KB).
No second-stage download; all code is embedded.
No additional network traffic after initial execution.
Stealthier because there is no second-stage request.
Preferred for evading network-based detection.
Mistake
Staged payloads are always stealthier than stageless because they are smaller.
Correct
Stageless payloads are stealthier because they avoid the second-stage download, which creates network traffic that can be detected. Staged payloads are smaller but leave a network trace.
Mistake
Jitter increases the check-in frequency.
Correct
Jitter randomizes the check-in interval around the set sleep value. It does not increase frequency; the average interval remains the same as the sleep value.
Mistake
DNS beacons use TCP for data transfer.
Correct
DNS beacons primarily use UDP. While TCP can be used for large transfers (e.g., zone transfers), standard DNS queries are UDP. Beacon data is typically small enough to fit in a single UDP packet.
Mistake
The default Cobalt Strike User-Agent is a modern browser string.
Correct
The default User-Agent is 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)', which is an old Internet Explorer 10 string and easily flagged by defenders.
Mistake
SMB beacons are used for internet communication.
Correct
SMB beacons are used for peer-to-peer communication within a local network. They do not traverse the internet because SMB is typically blocked at the perimeter.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A staged Beacon uses a small initial payload (stager) that downloads the full Beacon from the C2 server. This reduces the initial size but creates network traffic for the second stage. A stageless Beacon contains the entire payload in the initial download, eliminating the second-stage request. Stageless is stealthier because it leaves no network trace of the download, but the payload is larger. For the exam, remember that stageless is preferred for evasion.
Jitter adds randomness to the Beacon's check-in interval. For example, with a sleep of 60 seconds and jitter of 20%, the actual interval varies between 48 and 72 seconds. This prevents defenders from detecting a fixed periodic pattern. Jitter is a percentage of the sleep value. The exam may ask you to calculate the range given sleep and jitter.
A Malleable C2 profile is a configuration file that defines how the Beacon communicates with the C2 server. It controls HTTP headers, URI paths, cookies, data encoding, and DNS settings. It is important because it allows the attacker to mimic legitimate traffic (e.g., Google Analytics, Microsoft Update) and evade network-based detection. Default profiles are easily detected, so custom profiles are essential for stealth.
Yes, Beacons can use DNS as a communication channel. Data is encoded in DNS queries (e.g., TXT records, A queries) and responses. DNS is often allowed through firewalls and is less monitored, making it a stealthy option. However, it is slower and limited to 255 bytes per query. The Beacon can fall back to DNS if HTTP/HTTPS is blocked.
Sleep masking is a technique where the Beacon encrypts its code and data in memory while it is sleeping (between check-ins). This prevents memory scanners from detecting the Beacon's signature. When the Beacon wakes up, it decrypts itself. The encryption algorithm is often XOR or AES. The exam may ask about this as a memory evasion technique.
Beacons can inject themselves into legitimate processes (e.g., explorer.exe, svchost.exe) to blend in. This is done using Windows API calls like CreateRemoteThread and WriteProcessMemory. The `spawnto` command specifies which process to spawn for post-exploitation jobs. Process injection helps evade process-based detection and application whitelisting.
The default sleep interval is 60 seconds. However, operators typically change this to a longer interval (e.g., 120-300 seconds) with jitter to reduce traffic and avoid detection. The exam may test the default value, so remember it is 60 seconds.
You've just covered Cobalt Strike Beacon Concepts — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?