geacon_pro: cross-platform CobaltStrike Beacon bypass anti-virus
geacon_pro supports CobaltStrike version 4.1+
geacon_pro has implemented most functions of Beacon.
The core of bypassing Anti-Virus can be reflected in three aspects:
- There is no CobaltStrike Beacon feature.
- Viruses written in Golang can bypass the detection of antivirus software to a certain extent.
- Some dangerous functions which can be easily detected by antivirus software has been changed to more stealthy implementations.
sleep, shell, upload, download, exit, cd, pwd, file_browse, ps, kill, getuid, mkdir, rm, cp, mv, run, execute, drives, powershell-import, powershell, execute-assembly, Multiple thread injection methods (you can replace the source code yourself), inject, shinject, dllinject, pipe, Various CobaltStrike native reflection dll injection (mimikatz, portscan, screenshot, keylogger, etc.), steal_token, rev2self, make_token, getprivs, proxy, delete self, timestomp, etc. Supports reflectiveDll, execute-assembly, powershell, powerpick, upload and execute, and other functions of cna custom plugins.
Linux, Mac platform:
sleep, shell, upload, download, exit, cd, pwd, file_browse, ps, kill, getuid, mkdir, rm, cp, mv, delete self, etc.
Process management and file management support graphical interaction.
geacon_pro adapts the settings on the flow of C2profile and some settings on the host. The supported encoding algorithms are base64, base64url, mask, netbios, netbiosu. Details can be found in the config.go. Here is an example C2profile. IMPORTANT!!! After modifying the C2profile, do not forget to sync the changes in the config.go:
There are some custom settings in the config.go:
- Proxy sets the function of sending packets by proxy. You can find details in Implementation Details.
- Remark can be used to remark the machine, which is convenient for distinguishing different application scenarios. That is, if Remark=”test”, the name of the online machine will be set as ComputerName [test].
- ExecuteKey can perform simple anti-sandbox. If the key value is “password”, the geacon_pro.exe password is required to execute after setting. The sandbox or blue team members cannot execute because they do not know the key.
- ExecuteTime can perform simple anti-sandbox. If the current time is later than the set time, the execution will fail. the set time is UTC time zone。
- DeleteSelf sets whether to delete itself.
- HideConsole sets whether to hide the console.
- CommandReadTime sets the interval for asynchronous real-time echo when executing long-duration commands.