Cobalt Strike script for ScareCrow payloads

Overview

🎃 🌽 ScareCrow Cobalt Strike intergration CNA

A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader.

💣 ScareCrow Available Options

-I string
    Path to the raw 64-bit shellcode.
-Loader string
    Sets the type of process that will sideload the malicious payload:
    [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading).
    [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
-etw
    Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. 
-sandbox
    Enables sandbox evasion using IsDomainedJoined calls.

📥 Clone the Project

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

chmod +x install.sh
./install.sh

🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";

#Path to the python3 binary.
$python3 = "/usr/bin/python3";

💀 Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

References

https://github.com/optiv/ScareCrow

🔨 More options and work still in progress...

Comments
  • not sure where to go from .bins

    not sure where to go from .bins

    so every payload is a .bin for me except the dll that doesnt work for me.
    dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

    screenshots.docx

    invalid 
    opened by tgelliott196 8
  • Enhancement

    Enhancement

    hey, nice code over there ! i just wanted to add one more silly feature: if u can generate the bin file using this code, then u can try generating the shellcode ;p try this tinny code: using python 2

    import sys
    
    if len(sys.argv) < 2:
    	print "usage: %s file.bin\n" % (sys.argv[0],)
    	sys.exit(0)
    
    shellcode = "\""
    ctr = 1
    
    
    for b in open(sys.argv[1], "rb").read():
    	shellcode += "\\x" + b.encode("hex")
    shellcode += "\""
    print shellcode
    
    

    and if it worked u can add it to the repo . have a good one !

    and thanks for the code again, be sure ill use it

    invalid 
    opened by ORCA666 5
  • Can't find compiled ScareCrow Go executable

    Can't find compiled ScareCrow Go executable

    Describe the bug I clone and install ScareCrow followed by your introduction, but when I finished all, I can't find compiled ScareCrow Go executable in the right path.

    To Reproduce Steps to reproduce the behavior:

    1. cd CSAgent
    2. git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git
    3. cd ScareCrow-CobaltStrike
    4. chmod +x install.sh
    5. .../install.sh ...installing...
    6. cd ScareCrow
    7. ls
    8. See error

    Expected behavior I should find ScareCrow Go executable in my path, but it did't appear

    Screenshots Screen Shot 2022-06-05 at 19 29 52

    Desktop (please complete the following information):

    • OS: Ubuntu 18.04.6 LTS in VMware operating on macOS Monterey Version12.4
    • CSAgent4.4( maybe this information is useless)
    invalid 
    opened by Doublefire-Chen 3
  • Wrong path

    Wrong path

    I found the bug.... and why I was thinking that the dll/bin was not generated when in fact it was.... the message says the generated dll/bin is stored in the same directory where the generated shellcode is saved but is actually stored in the CS folder.

    But everything working fine beside the wrong path is notified... Thanks :)

    invalid 
    opened by TH3xACE 0
  • Thoughts on Adding Mangle

    Thoughts on Adding Mangle

    Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe the solution you'd like A clear and concise description of what you want to happen. Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. bash file?

    Additional context Add any other context or screenshots about the feature request here.

    opened by ceramic-skate0 1
Releases(4.1)
Owner
UserX
Breaking stuff until they work (̿▀̿ ̿Ĺ̯̿̿▀̿ ̿)̄
UserX
Process incoming JSON-RPC requests in Python

August 16, 2021: Version 5 has been released. Read about the changes in version 5, or read the full documentation. Version 5 is for Python 3.8+ only.

Exploding Labs 156 Dec 31, 2022
InfraGenie is allows you to split out your infrastructure project into separate independent pieces, each with its own terraform state.

🧞 InfraGenie InfraGenie is allows you to split out your infrastructure project into separate independent pieces, each with its own terraform state. T

Digger 53 Nov 23, 2022
Huawei firewall automatically updates Chinese ip to target IP group.

Huawei firewall automatically updates Chinese ip to target IP group.

Lundaa 0 Jan 11, 2022
This Python script can be used to bypass IP source restrictions using HTTP headers.

ipsourcebypass This Python script can be used to bypass IP source restrictions using HTTP headers. Features 17 HTTP headers. Multithreading. JSON expo

Podalirius 322 Dec 28, 2022
GNS3 Graphical Network Simulator

GNS3-gui GNS3 GUI repository.

GNS3 1.7k Dec 29, 2022
Ov3 - Easy common OpenVPN3 operations

ov3 Easy common OpenVPN3 operations Install ov3 requires Python3 and OpenVPN3 to

Yunus Bora Erciyas 6 Apr 25, 2022
Visualize the electric field of a point charge network.

ElectriPy ⚡ Visualize the electric field of a point charges network. 🔌 Installation Install ElectriPy package: $ pip install electripy You are all d

Dylan Tintenfich 29 Aug 29, 2022
Netwalk is a Python library to discover, parse, analyze and change Cisco switched networks

Netwalk is a Python library born out of a large remadiation project aimed at making network device discovery and management as fast and painless as possible.

38 Nov 07, 2022
Automated network configuration backups using Github actions and git-scraping

Network Config Scraper This repository demonstrates the use of Github Actions and git-scraping to build an automated backup solution for network confi

WWT 19 Dec 14, 2022
Tool that creates a complete copy of your server

Discord-Server-Cloner Tool that creates a complete copy of your server Setup: Open run.bat If the file closes, open cmd And write: pip install -r requ

DEEM 3 Dec 13, 2021
Uses machine learning to scan the similarity of two texts

PlagiarismChecker Uses machine learning to scan the similarity of two documents. End Points: http://localhost:3000/register (create a/c) http://localh

Elvis Chege 2 Aug 10, 2022
Find information about an IP address, such as its location, ISP, hostname, region, country, and city.

Find information about an IP address, such as its location, ISP, hostname, region, country, and city. An IP address can be traced, tracked, and located.

Sachit Yadav 2 Jul 09, 2022
A simple Encrypted IM chat software Server & client based on Python3.

SecretBox A simple Encrypted IM chat software Server & client based on Python3. Version 1.0 命令行版 安装步骤 Server 运行pip3 install -r requirements 安装依赖。 运行py

h3h3da 5 Oct 31, 2022
DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.

What is DNSStager? DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS. DNSStager will create a malic

Askar 547 Dec 20, 2022
Apple Store Stock Notifier monitors the availability of selected Apple devices in selected Apple stores, and sends you a notification when devices are available!

Apple Store Stock Notifier This software will immediately send you a notification via Telegram when one of your coveted Apple Devices is available in

Floris-Jan Willemsen 25 Dec 05, 2022
Pesquise, filtre e obtenha informações sobre animes. ( Módulo PIP )

Pesquise, filtre e obtenha informações sobre animes. ( Módulo PIP )

AimCaffe 3 Jan 30, 2022
Best discord webhook spammer using proxy (support all proxy type)

Best discord webhook spammer using proxy (support all proxy type)

Iтѕ_Ѵιcнч#1337 25 Nov 01, 2022
boofuzz: Network Protocol Fuzzing for Humans

boofuzz: Network Protocol Fuzzing for Humans Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework. Besides numerous bug fi

Joshua Pereyda 1.7k Dec 31, 2022
a decompilation of NAP36 the widevine removal software for amz and nf used by p2p groups until it stoped working due to it using expired cdm keys

NAP36 a decompilation of NAP36 the widevine removal software for amz and nf used by p2p groups until it stoped working due to it useing expired cdm ke

9 Aug 29, 2021
Utility for converting IP Fabric webhooks into a Teams format.

IP Fabric Webhook Integration for Microsoft Teams Setup IP Fabric Setup Go to Settings Webhooks Add webhook Provide a name URL will be: 'http://Y

Community Fabric 1 Jan 26, 2022