Cobalt Strike script for ScareCrow payloads

Related tags

NetworkingScareCrow-CobaltStrike
Overview

🎃 🌽 ScareCrow Cobalt Strike intergration CNA

A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader.

💣 ScareCrow Available Options

-I string
    Path to the raw 64-bit shellcode.
-Loader string
    Sets the type of process that will sideload the malicious payload:
    [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading).
    [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
-etw
    Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. 
-sandbox
    Enables sandbox evasion using IsDomainedJoined calls.

📥 Clone the Project

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

chmod +x install.sh
./install.sh

🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";

#Path to the python3 binary.
$python3 = "/usr/bin/python3";

💀 Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

References

https://github.com/optiv/ScareCrow

🔨 More options and work still in progress...

Comments
  • not sure where to go from .bins

    not sure where to go from .bins

    so every payload is a .bin for me except the dll that doesnt work for me.
    dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

    screenshots.docx

    invalid 
    opened by tgelliott196 8
  • Enhancement

    Enhancement

    hey, nice code over there ! i just wanted to add one more silly feature: if u can generate the bin file using this code, then u can try generating the shellcode ;p try this tinny code: using python 2

    import sys

if len(sys.argv) < 2:
	print "usage: %s file.bin\n" % (sys.argv[0],)
	sys.exit(0)

shellcode = "\""
ctr = 1


for b in open(sys.argv[1], "rb").read():
	shellcode += "\\x" + b.encode("hex")
shellcode += "\""
print shellcode

    and if it worked u can add it to the repo . have a good one !

    and thanks for the code again, be sure ill use it

    invalid 
    opened by ORCA666 5
  • Can't find compiled ScareCrow Go executable

    Can't find compiled ScareCrow Go executable

    Describe the bug I clone and install ScareCrow followed by your introduction, but when I finished all, I can't find compiled ScareCrow Go executable in the right path.

    To Reproduce Steps to reproduce the behavior:

    1. cd CSAgent
    2. git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git
    3. cd ScareCrow-CobaltStrike
    4. chmod +x install.sh
    5. .../install.sh ...installing...
    6. cd ScareCrow
    7. ls
    8. See error

    Expected behavior I should find ScareCrow Go executable in my path, but it did't appear

    Screenshots Screen Shot 2022-06-05 at 19 29 52

    Desktop (please complete the following information):

    • OS: Ubuntu 18.04.6 LTS in VMware operating on macOS Monterey Version12.4
    • CSAgent4.4( maybe this information is useless)
    invalid 
    opened by Doublefire-Chen 3
  • Wrong path

    Wrong path

    I found the bug.... and why I was thinking that the dll/bin was not generated when in fact it was.... the message says the generated dll/bin is stored in the same directory where the generated shellcode is saved but is actually stored in the CS folder.

    But everything working fine beside the wrong path is notified... Thanks :)

    invalid 
    opened by TH3xACE 0
  • Thoughts on Adding Mangle

    Thoughts on Adding Mangle

    Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe the solution you'd like A clear and concise description of what you want to happen. Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. bash file?

    Additional context Add any other context or screenshots about the feature request here.

    opened by ceramic-skate0 1
Releases(4.1)
Owner
UserX
Breaking stuff until they work (̿▀̿ ̿Ĺ̯̿̿▀̿ ̿)̄
UserX
GitHub Repository
A simple multi-threaded time server and client in python.

time-server-client A simple multi-threaded time server and client in Python. This uses the latest match/case command found in Python 3.10 so requires

Zeeshan Mulk 1 Jan 29, 2022
Qtas(Quite a Storage)is an experimental distributed storage system developed by Q-team in BJFU Advanced Computer Network sources.

Qtas(Quite a Storage)is a experimental distributed storage system developed by Q-team in BJFU Advanced Computer Network sources.

Jiaming Zhang 3 Jan 12, 2022
Qobuz-rpc - A simple discord rich presence client for qobuz written in Python

qobuz-rpc A simple discord rich presence client for qobuz written in Python It's

Raphael O. 13 Dec 15, 2022
E4GL3OS1NT - Simple Information Gathering Tool

E4GL30S1NT Features userrecon - username reconnaissance facedumper - dump facebook information mailfinder - find email with specific name godorker - d

C0MPL3XDEV 195 Dec 21, 2022
User-friendly packet captures

capture-packets: User-friendly packet captures Please read before using All network traffic occurring on your machine is captured (unless you specify

Seth Michael Larson 2 Feb 05, 2022
A Cheap Flight Alert program sends you a SMS to notify cheap flights in next 8 months.

Flight Dealer A Cheap Flight Alert program sends you a SMS to notify cheap flights (return trips) in next 6 months. Installing Download the Python 3 i

Aytaç Kaşoğlu 2 Feb 10, 2022
NSX-T infrastructure as code - SDDC deployment

Deploy NSX-T Infrastructure - Simple Topology by Nicolas MICHEL @vpackets / LinkedIn Introduction The purpose of this entire repository is to automate

21 Nov 28, 2022
Tiny JSON RPC via HTTP library.

jrpc Simplest ever possible Asynchronous JSON RPC via HTTP library for Python, backed by httpx. Installation pip install async-jrpc Usage Import JRPC

Onigiri Team 2 Jan 31, 2022
A light-weight open-source project CLI utility for showing services running on ports in a host

Portable Port Scanner (ppscanner) Portable Port Scanner (ppscanner) is a light-weight open-source CLI utility that leverages on nmap to make quick and

1 Oct 30, 2021
This script will make it easier to connect to any wireguard vpn config

wireguard-linux-python-script-vpn This script will make it easier to connect to any wireguard vpn config also u will need your wireguard vpn from your

Jimo 1 Sep 21, 2022
Passive TCP/IP Fingerprinting Tool. Run this on your server and find out what Operating Systems your clients are *really* using.

Passive TCP/IP Fingerprinting This is a passive TCP/IP fingerprinting tool. Run this on your server and find out what operating systems your clients a

Nikolai Tschacher 158 Dec 20, 2022
Arp Spoofer using Python 3.

ARP Spoofer / Wifi Killer By Auax Run: Run the application with the following command: python3 spoof.py -t target_ip_address -lh host_ip_address I

Auax 6 Sep 15, 2022
An opensource library to use SNMP get/bulk/set/walk in Python

SNMP-UTILS An opensource library to use SNMP get/bulk/set/walk in Python Features Work with OIDS json list [Find Here](#OIDS List) GET command SET com

Alexandre Gossard 3 Aug 03, 2022
Utility for converting IP Fabric webhooks into a Teams format.

IP Fabric Webhook Integration for Microsoft Teams and/or Slack Setup IP Fabric Setup Go to Settings Webhooks Add webhook Provide a name URL will b

Community Fabric 1 Jan 26, 2022
A simple software which can use to make a server in local network

home-nas it is simple software which can use to make a server in local network, it has a web site on it which can use by multipale system, i use nginx

R ansh joseph 1 Nov 10, 2021
🐛 SSH self spreading worm written in python3 to propagate a botnet.

Mirkat SSH self spreading worm written in python3 to propagate a botnet. Install tutorial. cd ./script && sh setup.sh Support me. ⚠️ If this reposito

Ѵιcнч 58 Nov 01, 2022
Raspberry Pi Based Serial Console Server, with PushBullet Notification of IP changes, Automatic VPN termination, custom menu, Power Outlet Control, and a lot more

ConsolePi Acts as a serial Console Server, allowing you to remotely connect to ConsolePi via Telnet/SSH/bluetooth to gain Console Access to devices co

120 Jan 05, 2023
This script aims to make the dynamic public ip of your local server, public.

EZ DDNS CLOUDFLARE This script aims to make the dynamic ip of your local server, public. It does this by regularly updating cloudflare's dns record. B

3 Feb 13, 2022
CloudProxy is to hide your scrapers IP behind the cloud

Hide your scrapers IP behind the cloud. Provision proxy servers across different cloud providers to improve your scraping success.

Christian Laffin 1.1k Jan 02, 2023
Get Your Localhost Online - Ngrok Alternative

Get Your Localhost Online - Ngrok Alternative

Azimjon Pulatov 442 Jan 04, 2023