SMB Beacon

windows/beacon_smb/bind_pipe is Cobalt Strike's SMB Beacon. The SMB Beacon uses named pipes to communicate through a parent Beacon. This peer-to-peer communication works with Beacons on the same host. It also works across the network. Windows encapsulates named pipe communication within the SMB protocol. Hence, the name, SMB Beacon.

You may use the SMB Beacon as a target listener for most of Beacon's features. The features that affect the local host will stage over a TCP connection that’s setup to avoid the ire of the local host-based firewall. Beacon's lateral movement features will stage the SMB Beacon over a named pipe.

You may also export a stagless SMB Beacon executable or DLL. Go to Attacks -> Packages -> Windows Executable (S) and select your SMB Beacon listener.

Actions that stage the SMB Beacon will automatically link to it. If you run a stageless SMB Beacon payload, you must link to the payload to assume control of it.

The SMB Beacon’s localhost-only TCP stager will bind to the port specified in the New Listener dialog. The SMB Beacon’s remote-host named pipe stager will bind to the pipename_stager option from your Malleable C2 profile. The SMB Beacon payload will bind to the pipename option from your Malleable C2 profile.

Linking and Unlinking

From the Beacon console, use link [ip address] to link the current Beacon to an SMB Beacon that is waiting for a connection. When the current Beacon checks in, its linked peers will check in too.

To blend in with normal traffic, linked Beacons use Windows named pipes to communicate. This traffic is encapsulated in the SMB protocol. There are a few caveats to this approach:

1. Hosts with an SMB Beacon must accept connections on port 445.
2. You may only link Beacons managed by the same Cobalt Strike instance.

If you get an error 5 (access denied) after you try to link to a Beacon: steal a domain user's token or use make_token DOMAIN\user password to populate your current token with valid credentials for the target. Try to link to the Beacon again.

To destroy a Beacon link use unlink [ip address] in the parent or child. Later, you may link to the unlinked Beacon again (or link to it from another Beacon).

The Pivot Graph

The Pivot Graph shows your SMB Beacon links in a natural way. Go to Cobalt Strike -> Visualization -> Pivot Graph to enable this view.

Pivot Graph

Each Beacon session has an icon. As with the sessions table: the icon for each host indicates its operating system. If the icon is red with lightning bolds, the Beacon is running in a process with administrator privileges. A darker icon indicates that the Beacon session was asked to exit and it acknowledged this command.

A firewall icon represents the last seen egress point (e.g., a proxy, firewall, or redirector) for a Beacon. Beacon will use a dashed green line to indicate its use of HTTP, HTTPS, or DNS to leave the network.

An orange arrow connecting one Beacon session to another represents a link between two Beacons. Cobalt Strike’s Beacon uses Windows named pipes to control Beacons in this peer-to-peer fashion. A named pipe is an inter-process communication mechanism on Windows. Named pipe traffic that goes host-to-host is encapsulated within the SMB protocol. A red arrow indicates that a Beacon link is broken.

Click a Beacon to select it. You may select multiple Beacons by clicking and dragging a box over the desired hosts. Press Ctrl and Shift and click to select or unselect an individual Beacon.

Right-click a Beacon to bring up a menu with available post-exploitation options.

Right-click the Pivot Graph with no selected Beacons to configure the layout of this graph.