Keystroke Logging with Beacon

December 12, 2012

I feel asynchronous low and slow C2 is a missing piece in the penetration tester’s toolkit. Beacon is Cobalt Strike’s answer to this problem. Beacon periodically phones home to check for tasks.  It can perform this check using the DNS or HTTP protocols. When tasks are available, it’ll download them as an encrypted blob using an HTTP request. One nicety, Beacon can communicate with multiple domains–making it resilient to blocking. I announced Beacon in September.

The first release of Beacon served as a light-weight remote administration tool. Something you could use to spawn a session or execute commands on a compromised system. Now, Beacon is turning into a tool for silently collecting information on your behalf.

Today’s Cobalt Strike update adds a keystroke logger to Beacon. The longer you log keystrokes, the better your chances of getting actionable information from the activity. With Beacon, you do not have to be connected to the target to observe their keystrokes. Beacon will try to communicate with you on its schedule and when its able to receive your command, it will post the keystrokes to you as an encrypted blob.

The keystroke logger keeps track of keystrokes and associates them with the active window at the time. This makes the information more useful than a stream of characters without context.

Use keylogger start to start the keystroke logger. To request a dump of keystrokes, use the keylogger command by itself. keylogger stop will stop the keylogger.

keylogging with Beacon

For the keystroke logger to work, Beacon must live inside of a process associated with the current desktop. explorer.exe is a good candidate. To see a list of processes, use shell tasklist. To inject Beacon into a specific process, this release adds an inject command to inject a predefined listener into a process.

To improve Beacon’s survival, Beacon now spawns a new process to inject shellcode into by default. If the injected shellcode crashes its parent process, it will not take Beacon with it.

Pretty cool, eh?

Cobalt Strike’s 12.12.12 update includes several other improvements too. The System Profiler now better detects local IP addresses. Windows 8 systems have their own icon now. And there are several bug fixes too. See the release notes for more information.

Licensed Cobalt Strike users may run the update program to get the latest. A 21-day Cobalt Strike trial is available too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s