aex.red

2. Beacons & Listeners

Beacons & Listeners

Listener types, beacon payload formats, and interaction commands for Cobalt Strike.

Egress Listeners

Egress listeners allow a Beacon to communicate outside the target network to the team server.

HTTP

Beacon sends and receives C2 messages over HTTP GET and/or POST requests.

DNS

Beacon communicates over DNS lookup/response types (A, AAAA, TXT). TXT records are used by default as they hold the most data. Requires DNS records for a domain the team server is authoritative for.

OPSEC: The team server’s default DNS response is 0.0.0.0, which can be fingerprinted. Change this in the Malleable C2 profile.

Peer-to-Peer (P2P) Listeners

P2P listeners chain Beacons in parent/child relationships — they don’t communicate with the team server directly. Use these to access segregated networks or reduce traffic volume to the team server.

SMB

Single option: named pipe name. Default is msagent_## (random hex).

OPSEC: The default pipe name is well signatured. Emulate names used by common applications or Windows itself:

ls \\.\pipe\

TCP

Binds and listens on a specified port. Can bind to localhost only (127.0.0.1) or all interfaces (0.0.0.0).

Beacon Payload Types

TypeDescriptionListenersArch
HTML Application.hta file with embedded VBScriptEgress onlyx86 only
MS Office MacroVBA for macro-enabled Word/ExcelEgress onlyx86 + x64
Stager Payload GeneratorStager in C, C#, PS, Python, VBAEgress onlyx86 + x64
Stageless Payload GeneratorFull payload, exit function optionEgress + P2Px86 + x64
Windows Stager PayloadPre-compiled EXE, Service EXE, DLLEgress onlyx86 + x64
Windows Stageless PayloadPre-compiled EXE, DLL, shellcode, PSEgress + P2Px86 + x64
Generate All PayloadsEvery stageless variant for all listenersAllx86 + x64

(S) indicates a stageless payload. Staged payloads are smaller but more easily signatured.

Staged vs Stageless

  • Staged: Small initial stager fetches full payload. Useful for size-constrained delivery but creates an additional network callback.
  • Stageless: Full payload in one binary. Larger on disk but no second fetch.

Reference: Staged vs Stageless Handlers

Creating Listeners

Via the CS GUI: Cobalt Strike > Listeners > Add

Generate all payloads after creating listeners:

Payloads > Windows Stageless Generate All Payloads

Save to C:\Payloads for quick access.

Interacting with Beacons

  1. Execute a beacon (e.g. http_x64.exe)
  2. Double-click the new session in the teamserver UI to interact
  3. The beacon CLI honours many standard Linux commands. Use help for CS-specific commands.

Adjust check-in interval:

sleep <seconds>

OPSEC: Lower sleep values are noisier on the wire. The more traffic, the more likely detection.

DNS beacons don’t send metadata initially. Issue checkin to populate session data.

Connect to a P2P listener:

connect <target_ip> <port>

Pivot Listeners

Pivot listeners are created on an existing Beacon (not via the Listeners menu). They work as reverse TCP listeners for chaining.

  1. Right-click beacon → Pivoting > Listener
  2. Listener details auto-populate (don’t change unless tunnelling)
  3. Payload type is limited to reverse TCP
  4. Click Save — the listener binds. Generate a new payload for it as normal.

See also: 3. Payload Generation

Graph View