Go4aRun
Usage:
- Change the desired passphrase used in encryption in hideit.go and Go4it.go
- Change the behavior options in Go4it.go
- Change block dll behavior: between "not allowing non-MS" and "only store" through nonms and onlystore variables
- Change parentName variable to change spoofed parent
- Change programPath variable to change process launched by parent which shellcode will inject into
- Change creationFlags to change launch behavior of programPath variable
- Select a Process Injection Method by comment/uncommenting the sections CreateRemoteThread or QueueUserAPC
- Run hideit (either build or go run) and select the raw shellcode file
- The script should save the encrypted shellcode in the shelly.go file in pkg/shelly (if not move manually to pkg/shelly)
- Build Go4it.go (e.g: GOOS=windows GOARCH=amd64 go build -ldflags="-H=windowsgui -s -w" Go4it.go)
- Compress: upx --brute Go4it.exe
- Run through DefenderCheck (https://github.com/matterpreter/DefenderCheck)
Related Blog Posts:
- https://posts.specterops.io/going-4-a-run-eb263838b944
- https://posts.specterops.io/going-4-a-hunt-66c9f0d7f32c
References/ Resources:
- www.thepolyglotdeveloper.com/2018/02/encrypt-decrypt-data-golang-application-crypto-packages/
- https://medium.com/syscall59/a-trinity-of-shellcode-aes-go-f6cec854f992
- https://ired.team/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-processes
- https://gist.github.com/rvrsh3ll/1e66f0f2c7103ff8709e5fd63ca346ac
- https://github.com/BishopFox/sliver
- https://github.com/bluesentinelsec/OffensiveGoLang
- https://github.com/djhohnstein/CSharpCreateThreadExample
- https://github.com/Ne0nd0g/merlin