From aldeid
Jump to navigation Jump to search
You are here
Beacon Commands


These commands are built into Beacon and rely on Win32 APIs to meet their objectives.

Command Syntax Description Output example
cd cd change directory on host
cp cp [source file] [dest file] Copy source file to the specified destination
  • connect [target]
  • connect [port]
  • Connect to a TCP-Beacon and re-establish control of it. All requests for connected beacon will go through this beacon.
  • Use unlink to disconnect from a TCP-Beacon
download download [file] Download a file. Go to View > Downloads to see it
drives drives list drives on current system drives: C:, D:
exit exit terminate the beacon session
getprivs getprivs enable as many system privileges as possible on current token
getuid getuid prints the User ID associated with the current token You are WS10\sebastien
jobkill jobkill [job ID] Stop a long-running post-exploitation task
kill kill [process ID] kills the specified process
link link [ip address] link to the beacon at the specified IP address
ls ls [folder] lists files in a folder
make_token make_token[DOMAIN\user] [password] Clone the current access token and set it up to pass the specified username and password when you interact with network resources. This command does not validate the credentials you provide and it has no effect on local actions.
mkdir mkdir [folder] Make a directory
mv mv [source file] [dest file] Move source file to the specified destination
ps ps show running processes
pwd pwd show current working directory of this beacon
rev2self rev2self Revert to your original access token
rm rm [folder] removes a file or folder
  • rportfwd [bind port] [forward host] [forward port]
  • rportfwd stop [bind port]
binds the specified port on the target host. When a connection comes in, Cobalt Strike will make a connection to the forwarded host/port and use Beacon to relat traffic between the two connections.
setenv setenv [key] [value] set an environment variable
socks port]
  • Starts a SOCKS4a server on teh specified port. This server will relat connections through this Beacon.
  • Use socks stop to stop the SOCKS4a server and terminate existing connections.
  • Traffic will not relat while Beacon is asleep. Change the sleep time with the sleep command to reduce latency.
steal_token steal_token [pid] Steal an access token from a process.
  • unlink [ip address]
  • unlink [ip address] [pid]
  • Disconnect from a named pipe or TCP Beacon.
  • Specify an IP address or an IP address and session PID to disconnect a specific Beacon
upload upload [/path/to/file] Upload a file to host

House-keeping Commands

The following commands are built into Beacon and exist to configure Beacon or perform house-keeping actions. Some of these commands (e.g., clear, downloads, help, mode, note) do not generate a task for Beacon to execute.

Command Syntax Description Output example
  • argue [command] [fake arguments]
  • argue [command]
  • argue
  • Spoof [fake arguments] for [command] processes launched by Beacon. This options does not affect runu/spawnu, runas/spawnas, or post-ex jobs
  • Use argue [command] to disable this feature for the specified command.
  • Use argue by itself to list programs with defined spoofed arguments.
  • blockdlls start
  • blockdlls stop
  • Launch child processes with a binary signature policy that blocks non-Microsoft DLLs from loading into the child process.
  • Use blockdlss stop to disable this behavior.
  • This feature requires Windows 10 / Windows Server 2012 or later
cancel cancel [*file*] Cancels a download that is currently in progress. Wildcards are OK.
checkin checkin Forces DNS Beacon to connect to you. During a checkin Beacon posts its host metadata and dumps logged keystrokes.
clear clear Clear beacon queue
downloads downloads Lists file downloads currently in progress
help help [command] Display help for a command
jobs jobs List long-running post-exploitation tasks.
mode dns mode dns Get taks with DNS A record requests. Use this option to communicate with DNS when TXT records are not an option. Sends data as DNS requests with data encoded inside of the hostname.
mode dns6 mode dns6 Get taks with DNS AAAA record requests. Use this option to communicate with DNS when TXT records are not an option. Sends data as DNS requests with data encoded inside of the hostname.
mode dns-txt mode dns-txt Get tasks with DNS TXT record requests. This channel carries 189 bytes per request versus 4 bytes for a DNS A record request. Sends data with the same technique as the other DNS mode.
note note [text] Assigns a note to this Beacon
powershell-import powershell-import [/path/to/local/script.ps1] Import a powershell script which is combined with future calls to the powershell command. You may only use one imported script at a time.
ppid ppid [pid]
  • User specified PID as parent for processes Beacon launches. The runas command is not affected, but most other commands are.
  • Type ppid by itself to reset to default behavior.
Do not specify a parent PID in another desktop session. This may break several of Beacon's features and workflows. User runu if you want to run a command under a parent in another desktop session.
sleep sleep [time in seconds] <jitter>
  • Change how often the beacon calls home. Use sleep 0 to force Beacon to call home many times each second.
  • Specify a jitter value (0-99) to force Beacon to randomly modify its sleep time.
socks stop

Inline Execute (BOF)

The following commands are implemented as internal Beacon Object Files. A Beacon Object File is a compiled C program, written to a certain convention, that executes within a Beacon session. The capability is cleaned up after it finishes running.

elevate svc-exe
elevate uac-token-duplication
jump psexec
jump psexec64
jump psexec_psh
net domain
reg query
reg queryv
remote-exec psexec
runasadmin uac-cmstplua
runasadmin uac-token-duplication

Post-Exploitation Jobs (Fork&Run)

Many Beacon post-exploitation features spawn a process and inject a capability into that process. Some people call this pattern fork&run. Beacon does this for a number of reasons: (i) this protects the agent if the capability crashes. (ii) historically, this scheme makes it seamless for an x86 Beacon to launch x64 post-exploitation tasks. This was critical as Beacon didn't have an x64 build until 2016. (iii) Some features can target a specific remote process. This allows the post-ex action to occur within different contexts without the need to migrate or spawn a payload in that other context. And (iv) this design decision keeps a lot of clutter (threads, suspicious content) generated by your post-ex action out of your Beacon process space. Here are the features that use this pattern:

Fork & Run Only

net *

Target Explicit Process


Process Execution

Spawn a new process

These commands spawn a new process:


Process Execution (cmd.exe)

The shell command depends on cmd.exe. Use run to run a command and get output without cmd.exe

The pth command relies on cmd.exe to pass a token to Beacon via a named pipe. The command pattern to pass this token is an indicator some host-based security products look for. Read How to Pass-the-Hash with Mimikatz for instructions on how to do this manually.

Process Execution (powershell.exe)

The following commands launch powershell.exe to perform some task on your behalf.

jump winrm
jump winrm64
remote-exec winrm
remote-exec wmi

Process Injection

Process Injection (Remote)

The post-exploitation job commands (previously mentioned) rely on process injection too. The other commands that inject into a remote process are:


Process Injection (Spawn&Inject)

These commands spawn a temporary process and inject a payload or shellcode into it:

elevate uac-token-duplication

Service Creation

The following internal Beacon commands create a service (either on the current host or a remote target) to run a command. These commands use Win32 APIs to create and manipulate services.

elevate svc-exe
jump psexec
jump psexec64
jump psexec_psh
remote-exec psexec