Cobalt Strike script for ScareCrow payloads

Related tags

NetworkingScareCrow-CobaltStrike
Overview

🎃 🌽 ScareCrow Cobalt Strike intergration CNA

A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader.

💣 ScareCrow Available Options

-I string
    Path to the raw 64-bit shellcode.
-Loader string
    Sets the type of process that will sideload the malicious payload:
    [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading).
    [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
-etw
    Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. 
-sandbox
    Enables sandbox evasion using IsDomainedJoined calls.

📥 Clone the Project

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

chmod +x install.sh
./install.sh

🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";

#Path to the python3 binary.
$python3 = "/usr/bin/python3";

💀 Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

References

https://github.com/optiv/ScareCrow

🔨 More options and work still in progress...

Comments
  • not sure where to go from .bins

    not sure where to go from .bins

    so every payload is a .bin for me except the dll that doesnt work for me.
    dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

    screenshots.docx

    invalid 
    opened by tgelliott196 8
  • Enhancement

    Enhancement

    hey, nice code over there ! i just wanted to add one more silly feature: if u can generate the bin file using this code, then u can try generating the shellcode ;p try this tinny code: using python 2

    import sys

if len(sys.argv) < 2:
	print "usage: %s file.bin\n" % (sys.argv[0],)
	sys.exit(0)

shellcode = "\""
ctr = 1


for b in open(sys.argv[1], "rb").read():
	shellcode += "\\x" + b.encode("hex")
shellcode += "\""
print shellcode

    and if it worked u can add it to the repo . have a good one !

    and thanks for the code again, be sure ill use it

    invalid 
    opened by ORCA666 5
  • Can't find compiled ScareCrow Go executable

    Can't find compiled ScareCrow Go executable

    Describe the bug I clone and install ScareCrow followed by your introduction, but when I finished all, I can't find compiled ScareCrow Go executable in the right path.

    To Reproduce Steps to reproduce the behavior:

    1. cd CSAgent
    2. git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git
    3. cd ScareCrow-CobaltStrike
    4. chmod +x install.sh
    5. .../install.sh ...installing...
    6. cd ScareCrow
    7. ls
    8. See error

    Expected behavior I should find ScareCrow Go executable in my path, but it did't appear

    Screenshots Screen Shot 2022-06-05 at 19 29 52

    Desktop (please complete the following information):

    • OS: Ubuntu 18.04.6 LTS in VMware operating on macOS Monterey Version12.4
    • CSAgent4.4( maybe this information is useless)
    invalid 
    opened by Doublefire-Chen 3
  • Wrong path

    Wrong path

    I found the bug.... and why I was thinking that the dll/bin was not generated when in fact it was.... the message says the generated dll/bin is stored in the same directory where the generated shellcode is saved but is actually stored in the CS folder.

    But everything working fine beside the wrong path is notified... Thanks :)

    invalid 
    opened by TH3xACE 0
  • Thoughts on Adding Mangle

    Thoughts on Adding Mangle

    Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe the solution you'd like A clear and concise description of what you want to happen. Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. bash file?

    Additional context Add any other context or screenshots about the feature request here.

    opened by ceramic-skate0 1
Releases(4.1)
Owner
UserX
Breaking stuff until they work (̿▀̿ ̿Ĺ̯̿̿▀̿ ̿)̄
UserX
GitHub Repository
InfraGenie is allows you to split out your infrastructure project into separate independent pieces, each with its own terraform state.

🧞 InfraGenie InfraGenie is allows you to split out your infrastructure project into separate independent pieces, each with its own terraform state. T

Digger 53 Nov 23, 2022
Distribute a portion of your yield to other addresses 💙

YSHARE Distribute a portion of your yield to other addresses. How does it work Desposit your yToken or tokens into this contract Set the benificiaries

11 Nov 24, 2021
Simple Port Scanner With Socket Module In Python 3x

PortScanner Simple Port Scanner With Socket Module In Python 3x How To Install Requirements Of This Port Scanner sudo apt install python3;sudo apt ins

1 Nov 23, 2021
A pure-Python KSUID implementation

Svix - Webhooks as a service Svix-KSUID This library is inspired by Segment's KSUID implementation: https://github.com/segmentio/ksuid What is a ksuid

Svix 83 Dec 16, 2022
A simple Encrypted IM chat software Server & client based on Python3.

SecretBox A simple Encrypted IM chat software Server & client based on Python3. Version 1.0 命令行版 安装步骤 Server 运行pip3 install -r requirements 安装依赖。 运行py

h3h3da 5 Oct 31, 2022
syncio: asyncio, without await

syncio: asyncio, without await asyncio can look very intimidating to newcomers, because of the async/await syntax. Even experienced programmers can ge

David Brochart 10 Nov 21, 2022
Send files to your friends over network! (100mb max)

PyServed v2.0.1 Made by Shaurya Pratap Singh Installation Using pip(for stable releases.) - $ pip install pyserved Using Git (for latest updates) -

Sblip.dev 4 Mar 22, 2022
Simulate Attacks With Mininet And Hping3

Miniattack Simulate Attacks With Mininet And Hping3 It measures network load with bwm-ng when the net is under attack and plots the result. This demo

Geraked 3 Oct 03, 2022
Simple threaded Python Rickroll server. Listens on port 23 by default.

Terminal Rickroll Simple threaded Python Rickroll server. Listens on port 23 by default. Rickroll video made using Video-To-Ascii and the standard ric

AG 10 Sep 13, 2022
Roadster - Distance to Closest Road Feature Server

Roadster: Distance to Closest Road Feature Server Milliarium Aerum, the zero of

Textualization Software Ltd. 4 May 23, 2022
A simple Tor switcher script switches tor nodes in interval of time

Tor_Switcher A simple Tor switcher script switches tor nodes in interval of time This script will switch tor nodes in every interval of time that you

d4rk sh4d0w 2 Nov 15, 2021
StarCraft II Client - protocol definitions used to communicate with StarCraft II.

Overview The StarCraft II API is an interface that provides full external control of StarCraft II. This API exposes functionality for developing softw

Blizzard Entertainment 3.6k Dec 30, 2022
Query protocol and response

whois Query protocol and response _MᵃˢᵗᵉʳBᵘʳⁿᵗ_ _ ( ) _ ( )( ) _ | | ( ) | || |__ _ (_) ___ | | | | | || _ `\ /'_`\ | |/',__) |

MasterBurnt 4 Sep 05, 2021
A Scapy implementation of SMS-SUBMIT and (U)SIM Application Toolkit command packets.

A Scapy implementation of SMS-SUBMIT and (U)SIM Application Toolkit command packets.

mnemonic 83 Dec 11, 2022
The best way to send tokens into a specific server, which can be used for discord bots, and some tools..

XTRA420 The simplified version of sending tokens into a server, the basic and fastest way.. When using this, you have the option to use proxies (http)

07v 1 Nov 30, 2021
Dos attack a Bluetooth connection!

Bluetooth Denial of service Script made for attacking Bluetooth Devices By Samrat Katwal. Warning This project was created only for fun purposes and p

Samrat 1 Oct 29, 2021
Azure-function-proxy - Basic proxy as an azure function serverless app

azure function proxy (for phishing) here are config files for using *[.]azureweb

17 Nov 09, 2022
Openconnect VPN RPi Gateway

Openconnect-VPN-RPi-Gateway See the blog (Chinese) for how to build an Openconne

Zhongze Tang 2 Jan 30, 2022
Converts from PC formatted MAC addresses (hardware addresses) to Cisco format or vice-versa

MAC-Converter Converts from PC formatted MAC addresses (hardware addresses) to Cisco format or vice-versa Stores the results to a file in the same dir

Stew Alexander 0 Dec 24, 2022
Ping IP addresses and domains in parallel to find the accessible and inaccessible ones.

🚀 IPpy Parallel testing of IP addresses and domains in python. Reads IP addresses and domains from a CSV file and gives two lists of accessible and i

Shivam Mathur 54 May 21, 2022