Cobalt Strike, BEACON, Team Server. Oh My!

You may hear the names Cobalt Strike, BEACON, and even team server used interchangeably, but there are some important distinctions between all of them.

Cobalt Strike is the command and control (C2) application itself. This has two primary components: the team server and the client. These are both contained in the same Java executable (JAR file) and the only difference is what arguments an operator uses to execute it.

  • Team server is the C2 server portion of Cobalt Strike. It can accept client connections, BEACON callbacks, and general web requests.

  • By default, it accepts client connections on TCP port 50050.

  • Team server only supports being run on Linux systems.

  • Client is how operators connect to a team server.

  • Clients can run on the same system as a Team server or connect remotely.

  • Client can be run on Windows, macOS or Linux systems.

BEACON is the name for Cobalt Strike’s default malware payload used to create a connection to the team server. Active callback sessions from a target are also called "beacons". (This is where the malware family got its name.) There are two types of BEACON:

  • The Stager is an optional BEACON payload. Operators can "stage" their malware by sending an initial small BEACON shellcode payload that only does some basic checks and then queries the configured C2 for the fully featured backdoor.

  • The Full backdoor can either be executed through a BEACON stager, by a “loader” malware family, or by directly executing the default DLL export “ReflectiveLoader”. This backdoor runs in memory and can establish a connection to the team server through several methods.

Loaders are not BEACON. BEACON is the backdoor itself and is typically executed with some other loader, whether it is the staged or full backdoor. Cobalt Strike does come with default loaders, but operators can also create their own using PowerShell, .NET, C++, GoLang, or really anything capable of running shellcode.

It’s All Connected

4 views0 comments

Recent Posts

See All

During Vidar infections, the initial malware retrieves legitimate DLL files hosted on the same C2 server used for data exfiltration. These files are not malicious, but they are used by the Vidar malw