Cobalt Strike script for ScareCrow payloads

Last update: Dec 11, 2022

Related tags

Overview

🎃 🌽 ScareCrow Cobalt Strike intergration CNA

A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader.

💣 ScareCrow Available Options

-I string
    Path to the raw 64-bit shellcode.
-Loader string
    Sets the type of process that will sideload the malicious payload:
    [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading).
    [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
-etw
    Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. 
-sandbox
    Enables sandbox evasion using IsDomainedJoined calls.

📥 Clone the Project

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

chmod +x install.sh
./install.sh

🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";

#Path to the python3 binary.
$python3 = "/usr/bin/python3";

💀 Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

References

https://github.com/optiv/ScareCrow

🔨 More options and work still in progress...

Comments

not sure where to go from .bins

so every payload is a .bin for me except the dll that doesnt work for me.
dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

screenshots.docx
invalid

opened by tgelliott196 8
Enhancement
hey, nice code over there ! i just wanted to add one more silly feature: if u can generate the bin file using this code, then u can try generating the shellcode ;p try this tinny code: using python 2

import sys if len(sys.argv) < 2: print "usage: %s file.bin\n" % (sys.argv[0],) sys.exit(0) shellcode = "\"" ctr = 1 for b in open(sys.argv[1], "rb").read(): shellcode += "\\x" + b.encode("hex") shellcode += "\"" print shellcode

and if it worked u can add it to the repo . have a good one !

and thanks for the code again, be sure ill use it
invalid
opened by ORCA666 5
Can't find compiled ScareCrow Go executable
Describe the bug I clone and install ScareCrow followed by your introduction, but when I finished all, I can't find compiled ScareCrow Go executable in the right path.

To Reproduce Steps to reproduce the behavior:

cd CSAgent

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

cd ScareCrow-CobaltStrike

chmod +x install.sh

.../install.sh ...installing...

cd ScareCrow

ls

See error

Expected behavior I should find ScareCrow Go executable in my path, but it did't appear

Screenshots

Desktop (please complete the following information):

OS: Ubuntu 18.04.6 LTS in VMware operating on macOS Monterey Version12.4

CSAgent4.4( maybe this information is useless)

invalid
opened by Doublefire-Chen 3
Wrong path

I found the bug.... and why I was thinking that the dll/bin was not generated when in fact it was.... the message says the generated dll/bin is stored in the same directory where the generated shellcode is saved but is actually stored in the CS folder.

But everything working fine beside the wrong path is notified... Thanks :)
invalid

opened by TH3xACE 0
Thoughts on Adding Mangle

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

Describe the solution you'd like A clear and concise description of what you want to happen. Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. bash file?

Additional context Add any other context or screenshots about the feature request here.

opened by ceramic-skate0 1

Releases(4.1)

4.1(Apr 23, 2022)

Optimizations mainly.
Source code(tar.gz)
Source code(zip)
v1.2(Mar 27, 2022)

Update with ScareCrow v4.0
Source code(tar.gz)
Source code(zip)
v1.1(Jan 22, 2022)

Normalization with ScareCrow.
Source code(tar.gz)
Source code(zip)
v1.0(Sep 24, 2021)

All options are included and tested with all the latest software, Cobalt Strike and ScareCrow.
Source code(tar.gz)
Source code(zip)

Owner

UserX

Breaking stuff until they work (̿▀̿ ̿Ĺ̯̿̿▀̿ ̿)̄

GitHub Repository

The AKS cluster provisioner provisions AKS clusters :-)

Overview The AKS cluster provisioner provisions AKS clusters :-) It uses the Azure CLI to configure VNet and subnets before creating the cluster itsel

1 Nov 10, 2021

Dshell is a network forensic analysis framework.

Dshell An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures. K

5.4k Jan 06, 2023

A simple electrical network analyzer, BASED ON computer-aided design.

Electrical Network Analyzer A simple electrical network analyzer. Given the oriented graph of the electrical network (circut), BASED ON computer-aided

4 Oct 15, 2022

openPortScanner is a port scanner made with Python!

Port Scanner made with python • Installation • Usage • Commands Installation Run this to install: $ git clone https://github.com/Miguel-Galdin0/openPo

7 Jan 09, 2022

a decompilation of NAP36 the widevine removal software for amz and nf used by p2p groups until it stoped working due to it using expired cdm keys

NAP36 a decompilation of NAP36 the widevine removal software for amz and nf used by p2p groups until it stoped working due to it useing expired cdm ke

9 Aug 29, 2021

Secure connection between tenhou Window client and server.

tenhou-secure The tenhou Windows client looks awesome. However, the traffic between the client and tenhou server is NOT encrypted, including your uniq

1 Nov 11, 2021

🥑 A Python ARP and DNS Spoofer CLI and INTERFACE 🥓

NEXTGEN SPOOFER 🥑 A Python ARP and DNS Spoofer CLI and INTERFACE 🥓 CLI - advanced pentesters INTERFACE - beginners SetUp Make sure you installed P

9 Dec 25, 2022

This is simple script that changes the config register of a cisco router over serial so that you can reset the password

Cisco-router-config-bypass-tool- This is simple script that changes the config register of a cisco router over serial so that you can bypass the confi

1 Jan 02, 2022

pyWhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#.

PyWhisker pyWhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#. This tool allows users to manipulate the msD

325 Jan 08, 2023

Transfer files to and from a Windows host via ICMP in restricted network environments.

ICMP-TransferTools ICMP-TransferTools is a set of scripts designed to move files to and from Windows hosts in restricted network environments. This is

269 Dec 20, 2022

批量检查目标是否为cdn

🐸 Frog For Automatic Scan 🐶 Doge For Defense Evasion&Offensive Security Frog-checkCDN 批量检查目标是否为cdn Usage: python3 checkCDN.py list.txt list内可以为ip或者d

119 Dec 27, 2022

Throttle rTorrent on Plex stream Start/Stop

Dependencies Python 3.6+ Tautulli Script Setup Edit rtorrent_throttle.py and set rTorrent username, password and RPC2 url. Tautulli Setup Commum Scrip

4 Apr 25, 2022

Readable, simple and fast asynchronous non-blocking network apps

Fast and readable async non-blocking network apps Netius is a Python network library that can be used for the rapid creation of asynchronous non-block

120 Nov 20, 2022

A project that forwards data it receives in a URL POST Request to a Discord Webhook link

Mailman Mailman is a project that basically just forwards data it receives in a URL POST Request to a Discord Webhook link and act as a sort of messag

2 Mar 14, 2022

No-dependency, single file NNTP server library for developing modern, rfc3977-compliant (bridge) NNTP servers.

nntpserver.py No-dependency, single file NNTP server library for developing modern, rfc3977-compliant (bridge) NNTP servers for python =3.7. Develope

44 Nov 14, 2022

A Python server and client app that tracks player session times and server status

MC Outpost A Python server and client application that tracks player session times and server status About MC Outpost provides a session graph and ser

0 Jul 23, 2021

Multipurpose Growtopia Server tools, can be used for newbie to learn things.

3 Dec 01, 2021

This is an open project to maintain a list of domain names that serve YouTube ads

The YouTube ads blocklist project This is an open project to maintain a list of domain names that serve YouTube ads. The original project only produce

574 Dec 30, 2022

A python socket.io client for Roboteur

Roboteur Client Example TODO Basic setup Install the requirements: $ pip install -r requirements.txt Run the application: $ python -m roboteur_client

1 Oct 13, 2021

Network Dynaimcs Simulation

A Final Year Project in CUHK, Autumn 2021 Network Dynaimcs Simulation Files param.h edit all the variables & settings here simulate.c the main program

0 Mar 28, 2022