API-only

These commands are built into Beacon and rely on Win32 APIs to meet their objectives.

SeShutdownnPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege

House-keeping Commands

The following commands are built into Beacon and exist to configure Beacon or perform house-keeping actions. Some of these commands (e.g., clear, downloads, help, mode, note) do not generate a task for Beacon to execute.

Command	Syntax	Description	Output example
argue	argue [command] [fake arguments] argue [command] argue	Spoof [fake arguments] for [command] processes launched by Beacon. This options does not affect runu/spawnu, runas/spawnas, or post-ex jobs Use argue [command] to disable this feature for the specified command. Use argue by itself to list programs with defined spoofed arguments.
blockdlls	blockdlls start blockdlls stop	Launch child processes with a binary signature policy that blocks non-Microsoft DLLs from loading into the child process. Use blockdlss stop to disable this behavior. This feature requires Windows 10 / Windows Server 2012 or later
cancel	cancel [*file*]	Cancels a download that is currently in progress. Wildcards are OK.
checkin	checkin	Forces DNS Beacon to connect to you. During a checkin Beacon posts its host metadata and dumps logged keystrokes.
clear	clear	Clear beacon queue
downloads	downloads	Lists file downloads currently in progress
help	help [command]	Display help for a command
jobs	jobs	List long-running post-exploitation tasks.
mode dns	mode dns	Get taks with DNS A record requests. Use this option to communicate with DNS when TXT records are not an option. Sends data as DNS requests with data encoded inside of the hostname.
mode dns6	mode dns6	Get taks with DNS AAAA record requests. Use this option to communicate with DNS when TXT records are not an option. Sends data as DNS requests with data encoded inside of the hostname.
mode dns-txt	mode dns-txt	Get tasks with DNS TXT record requests. This channel carries 189 bytes per request versus 4 bytes for a DNS A record request. Sends data with the same technique as the other DNS mode.
note	note [text]	Assigns a note to this Beacon
powershell-import	powershell-import [/path/to/local/script.ps1]	Import a powershell script which is combined with future calls to the powershell command. You may only use one imported script at a time.
ppid	ppid [pid]	User specified PID as parent for processes Beacon launches. The runas command is not affected, but most other commands are. Type ppid by itself to reset to default behavior. Warning Do not specify a parent PID in another desktop session. This may break several of Beacon's features and workflows. User runu if you want to run a command under a parent in another desktop session.
sleep	sleep [time in seconds] <jitter>	Change how often the beacon calls home. Use sleep 0 to force Beacon to call home many times each second. Specify a jitter value (0-99) to force Beacon to randomly modify its sleep time.
socks stop
spawnto

Inline Execute (BOF)

The following commands are implemented as internal Beacon Object Files. A Beacon Object File is a compiled C program, written to a certain convention, that executes within a Beacon session. The capability is cleaned up after it finishes running.

dllload

elevate svc-exe

elevate uac-token-duplication

getsystem

jump psexec

jump psexec64

jump psexec_psh

kerberos_ccache_use

kerberos_ticket_purge

kerberos_ticket_use

net domain

reg query

reg queryv

remote-exec psexec

runasadmin uac-cmstplua

runasadmin uac-token-duplication

timestomp

Post-Exploitation Jobs (Fork&Run)

Many Beacon post-exploitation features spawn a process and inject a capability into that process. Some people call this pattern fork&run. Beacon does this for a number of reasons: (i) this protects the agent if the capability crashes. (ii) historically, this scheme makes it seamless for an x86 Beacon to launch x64 post-exploitation tasks. This was critical as Beacon didn't have an x64 build until 2016. (iii) Some features can target a specific remote process. This allows the post-ex action to occur within different contexts without the need to migrate or spawn a payload in that other context. And (iv) this design decision keeps a lot of clutter (threads, suspicious content) generated by your post-ex action out of your Beacon process space. Here are the features that use this pattern:

Fork & Run Only

covertvpn

dcsync

desktop

execute-assembly

hashdump

keylogger

logonpasswords

mimikatz

net *

portscan

powerpick

pth

screenshot

ssh

ssh-key

Target Explicit Process

browserpivot

desktop

keylogger

psinject

screenshot

Process Execution

Spawn a new process

These commands spawn a new process:

execute

run

runas

runu

Process Execution (cmd.exe)

The shell command depends on cmd.exe. Use run to run a command and get output without cmd.exe

The pth command relies on cmd.exe to pass a token to Beacon via a named pipe. The command pattern to pass this token is an indicator some host-based security products look for. Read How to Pass-the-Hash with Mimikatz for instructions on how to do this manually.

Process Execution (powershell.exe)

The following commands launch powershell.exe to perform some task on your behalf.

jump winrm

jump winrm64

powershell

remote-exec winrm

remote-exec wmi

Process Injection

Process Injection (Remote)

The post-exploitation job commands (previously mentioned) rely on process injection too. The other commands that inject into a remote process are:

dllinject

dllload

inject

shinject

Process Injection (Spawn&Inject)

These commands spawn a temporary process and inject a payload or shellcode into it:

elevate uac-token-duplication

shspawn

spawn

spawnas

spawnu

Service Creation

The following internal Beacon commands create a service (either on the current host or a remote target) to run a command. These commands use Win32 APIs to create and manipulate services.

elevate svc-exe

jump psexec

jump psexec64

jump psexec_psh

remote-exec psexec