The DNS Beacon is a favorite Cobalt Strike feature. This payload uses DNS requests to beacon back to you. These DNS requests are lookups against domains that your Cobalt Strike team server is authoritative for. The DNS response tells Beacon to go to sleep or to connect to you to download tasks. The DNS response will also tell the Beacon how to download tasks from your team server.
In Cobalt Strike 4.0 and later, the DNS Beacon is a DNS-only payload. There is no HTTP communication mode in this payload. This is a change from prior versions of the product.
Today, the DNS Beacon can download tasks over DNS TXT records, DNS AAAA records, or DNS A records. This payload has the flexibility to change between these data channels while its on target. Use Beacon's mode command to change the current Beacon's data channel. mode dns is the DNS A record data channel. mode dns6 is the DNS AAAA record channel. And, mode dns-txt is the DNS TXT record data channel. The default is the DNS TXT record data channel.
Be aware that DNS Beacon does not check in until there's a task available. Use the checkin command to request that the DNS Beacon check in next time it calls home.
To create a DNS Beacon listener: go to Cobalt Strike -> Listeners, press Add, and select Beacon DNS as the Payload type.
Press [+] to add one or more domains to beacon to. Your Cobalt Strike team server system must be authoritative for the domains you specify. Create a DNS A record and point it to your Cobalt Strike team server. Use DNS NS records to delegate several domains or sub-domains to your Cobalt Strike team server's A record.
The length of the beacon host list in beacon payload is limited to 255 characters. This includes a randomly assigned URI for each host and delimiters between each item in the list. If the length is exceeded, hosts will be dropped from the end of the list until it fits in the space. There will be messages in the team server log for dropped hosts.
The Host Rotation Strategy field configures the beacons behavior for choosing which host(s) from the list to use for egress.
|round-robin||Loop through the list of host names in the order they are provided. Each host is used for one connection|
|random||Randomly select a host name from the list each time a connection is attempted.|
|failover-xx||Use a working host as long as possible. Use each host in the list until they reach a consecutive failover count (x) or duration time period (m,h,d), then use the next host.|
|duration-xx||Use each host for a period of time. Use each host in the list for the specified duration (m,h,d), then use the next host.|
The DNS Host (Stager) field configures the DNS Beacon's TXT record stager. This stager is only used with Cobalt Strike features that require an explicit stager. Your Cobalt Strike team server system must be authoritative for this domain as well.
The Profile field allows a beacon to be configured with a selected profile variant from Malleable C2 configuration.
The DNS Resolver allows a DNS Beacon to egress using a specific DNS resolver, rather than using the default DNS resolver for the target server. Specify the IP Address of the desired resolver.
To test your DNS configuration, open a terminal and type nslookup jibberish.beacon domain. If you get an A record reply of 0.0.0.0--then your DNS is correctly setup. If you do not get a reply, then your DNS configuration is not correct and the DNS Beacon will not communicate with you.
Make sure your DNS records reference the primary address on your network interface. Cobalt Strike’s DNS server will always send responses from your network interface’s primary address. DNS resolvers tend to drop replies when they request information from one server, but receive a reply from another.
If you are behind a NAT device, make sure that you use your public IP address for the NS record and set your firewall to forward UDP traffic on port 53 to your system. Cobalt Strike includes a DNS server to control Beacon.