Cobalt Strike listeners listen for incoming connections from beacon payloads.

Egress Listener

An egress listener lets beacons communicate with the Cobalt Strike server outside the target network.

HTTP listener

exfil with HTTP(S)

  • use a unremarkable & innocent-looking domain name (needless to mention, don’t use IP addresses if you can help it)

DNS listener

allows data exfiltration through DNS queries

  • Configure DNS records for the team server first
    • e.g. example.com
    • @ (A) = team server IP
    • ns1 (A) = team server IP
    • exfil (NS) = ns1.example.com.
  • Add exfil.example.com to the DNS hosts (of course, don’t use such a name in practice; something more harmless like pics would fit better).
  • OPSEC warning: by default, DNS listeners will return 0.0.0.0, which may be used for fingerprinting Cobalt Strike. This can be configured in Malleable C2 profile.

Peer-to-Peer Listener

A P2P listener listens on a child beacon communicates with a parent egress beacon within the target network and remains within the target network. This is helpful for reducing traffic to the team server (better stealth) and for when the machine where the beacon is installed simply cannot access the team server.

SMB listener

  • No configuration, except the name of the named pipe
  • OPSEC warning: Do not use default name of named pipe (easy fingerprinting). Use ls \\.\pipes\ on a Windows machine to check common named pipes. e.g. RDP uses TSVCPIPE-* pipes such as TSVCPIPE-f85b1a66-c4cd-4d8c-a489-e5518d23fbbb (replace with random UUIDv4).

TCP listener

  • Only port number needed
  • Create one for localhost, and other for 0.0.0.0. Same port OK.

Pivot Listener

A pivot listener listens on an existing beacon, and a Beacon reverse TCP payload will connect to it afterwards (in contrast, normally, a P2P bind Beacon TCP payload listens on/binds to 0.0.0.0 on a port, and we have to active connect to the payload using connect in a Beacon session).

To create a pivot listener, right click on an existing beacon and choose Pivoting > Listener. Now you can generate a payload for it.

It will show up in the beacon as rportfwd $LISTEN_PORT windows/beacon_reverse_tcp, but this command actually doesn’t work.

Note: Windows Defender will pop up on the beaconed machine, need a way to handle this.