Cobalt Strike script for ScareCrow payloads

Related tags

NetworkingScareCrow-CobaltStrike
Overview

🎃 🌽 ScareCrow Cobalt Strike intergration CNA

A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader.

💣 ScareCrow Available Options

-I string
    Path to the raw 64-bit shellcode.
-Loader string
    Sets the type of process that will sideload the malicious payload:
    [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading).
    [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
-etw
    Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. 
-sandbox
    Enables sandbox evasion using IsDomainedJoined calls.

📥 Clone the Project

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

chmod +x install.sh
./install.sh

🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";

#Path to the python3 binary.
$python3 = "/usr/bin/python3";

💀 Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

References

https://github.com/optiv/ScareCrow

🔨 More options and work still in progress...

Comments
  • not sure where to go from .bins

    not sure where to go from .bins

    so every payload is a .bin for me except the dll that doesnt work for me.
    dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

    screenshots.docx

    invalid 
    opened by tgelliott196 8
  • Enhancement

    Enhancement

    hey, nice code over there ! i just wanted to add one more silly feature: if u can generate the bin file using this code, then u can try generating the shellcode ;p try this tinny code: using python 2

    import sys

if len(sys.argv) < 2:
	print "usage: %s file.bin\n" % (sys.argv[0],)
	sys.exit(0)

shellcode = "\""
ctr = 1


for b in open(sys.argv[1], "rb").read():
	shellcode += "\\x" + b.encode("hex")
shellcode += "\""
print shellcode

    and if it worked u can add it to the repo . have a good one !

    and thanks for the code again, be sure ill use it

    invalid 
    opened by ORCA666 5
  • Can't find compiled ScareCrow Go executable

    Can't find compiled ScareCrow Go executable

    Describe the bug I clone and install ScareCrow followed by your introduction, but when I finished all, I can't find compiled ScareCrow Go executable in the right path.

    To Reproduce Steps to reproduce the behavior:

    1. cd CSAgent
    2. git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git
    3. cd ScareCrow-CobaltStrike
    4. chmod +x install.sh
    5. .../install.sh ...installing...
    6. cd ScareCrow
    7. ls
    8. See error

    Expected behavior I should find ScareCrow Go executable in my path, but it did't appear

    Screenshots Screen Shot 2022-06-05 at 19 29 52

    Desktop (please complete the following information):

    • OS: Ubuntu 18.04.6 LTS in VMware operating on macOS Monterey Version12.4
    • CSAgent4.4( maybe this information is useless)
    invalid 
    opened by Doublefire-Chen 3
  • Wrong path

    Wrong path

    I found the bug.... and why I was thinking that the dll/bin was not generated when in fact it was.... the message says the generated dll/bin is stored in the same directory where the generated shellcode is saved but is actually stored in the CS folder.

    But everything working fine beside the wrong path is notified... Thanks :)

    invalid 
    opened by TH3xACE 0
  • Thoughts on Adding Mangle

    Thoughts on Adding Mangle

    Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe the solution you'd like A clear and concise description of what you want to happen. Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. bash file?

    Additional context Add any other context or screenshots about the feature request here.

    opened by ceramic-skate0 1
Releases(4.1)
Owner
UserX
Breaking stuff until they work (̿▀̿ ̿Ĺ̯̿̿▀̿ ̿)̄
UserX
GitHub Repository
VRF-StarkNet - Contracts for verifiable randomness on StarkNet

VRF-StarkNet Contracts for verifiable randomness on StarkNet Motivation Deployed

Non 32 Oct 30, 2022
Home Assistant integration for MyEnergi devices

myenergi for Home Assistant myenergi custom component for Home Assistant This is a very early release, will add more documentations soon! This compone

Johan Isacsson 70 Dec 18, 2022
Send files to your friends over network! (100mb max)

PyServed v2.0.1 Made by Shaurya Pratap Singh Installation Using pip(for stable releases.) - $ pip install pyserved Using Git (for latest updates) -

Sblip.dev 4 Mar 22, 2022
This script will make it easier to connect to any wireguard vpn config

wireguard-linux-python-script-vpn This script will make it easier to connect to any wireguard vpn config also u will need your wireguard vpn from your

Jimo 1 Sep 21, 2022
StarCraft II Client - protocol definitions used to communicate with StarCraft II.

Overview The StarCraft II API is an interface that provides full external control of StarCraft II. This API exposes functionality for developing softw

Blizzard Entertainment 3.6k Dec 30, 2022
Visualize the electric field of a point charge network.

ElectriPy ⚡ Visualize the electric field of a point charges network. 🔌 Installation Install ElectriPy package: $ pip install electripy You are all d

Dylan Tintenfich 29 Aug 29, 2022
TsuserverMoS - A Python-based server for Attorney Online,

tsuserverMoS A Python-based server for Attorney Online, forked from RealKaiser/tsuserverCC Requires Python 3.7+ and PyYAML. Changes/additions from tsu

1 Dec 30, 2021
This tools just for education only - Layer-7 or HTTP FLOODER

Layer-7-Flooder This tools just for education only - Layer-7 or HTTP FLOODER Require Col1 Before You Run this tools How To Use Download This Source Ex

NumeX 7 Oct 30, 2022
Tool for pretty printing and optimizing Lightning Network channels.

Suez Tool for pretty printing and optimizing Lightning Network channels. Installation Install poetry poetry install poetry run ./suez Channel fee poli

Pavol Rusnak 69 Nov 03, 2022
Utility for converting IP Fabric webhooks into a Teams format.

IP Fabric Webhook Integration for Microsoft Teams Setup IP Fabric Setup Go to Settings Webhooks Add webhook Provide a name URL will be: 'http://Y

Community Fabric 1 Jan 26, 2022
euserv auto-renew script - A Python script which can help you renew your free EUserv IPv6 VPS.

eu_ex eu_ex means EUserv_extend. A Python script which can help you renew your free EUserv IPv6 VPS. This Script can check the VPS amount in your acco

A beam of light 92 Jan 25, 2022
This is a small python code that I use with my NAS server connected to Plex

Spotifarr This is a small python code that I use with my NAS server connected to Plex I didn't appreciate how Lidarr works because it downloads a full

Automator 35 Oct 04, 2022
Tiny Interactive File Transfer Application

TIFTA: Tiny Interactive File Transfer Application This repository holds all the source code, tests and documentation of the TIFTA software. The main g

Jorge Martínez 2 Dec 08, 2021
Data Exfiltration without ever making a connection. Using TCP header space.

TCPwned PoC toy code to exfiltrate data without ever making a TCP connection. This will never show up in firewall logs, much less, actually be monitor

2 Nov 21, 2022
A TCP Chatroom built with python and TCP/IP sockets, consisting of a server and multiple clients which can connect with the server and chat with each other.

A TCP Chatroom built with python and TCP/IP sockets, consisting of a server and multiple clients which can connect with the server and chat with each other. It also provides an Admin role with featur

3 May 22, 2022
This Tool Help To Information gathering for domain name or ip address...

Owl-Eye This Tool Help To Information gathering for domain name or ip address... follow this command $apt update && upgrade $apt install python apt in

Black Owl 6 Nov 12, 2022
A great python/java dynamic DNS service for NameSilo, with log, email reminder...

English NameSilo DDNS is a DDNS service for NameSilo domain names for home broadband , it can automatically detect IP changes in home broadband

云牧青 77 Dec 28, 2022
Huawei firewall automatically updates Chinese ip to target IP group.

Huawei firewall automatically updates Chinese ip to target IP group.

Lundaa 0 Jan 11, 2022
Python module to interface with Tuya WiFi smart devices

TinyTuya Python module to interface with Tuya WiFi smart devices Description This python module controls and monitors Tuya compatible WiFi Smart Devic

Jason Cox 365 Dec 26, 2022
mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server.

mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server.

Fox-IT 1.3k Jan 05, 2023