Cobalt Strike script for ScareCrow payloads

Last update: Dec 11, 2022

Related tags

Overview

🎃 🌽 ScareCrow Cobalt Strike intergration CNA

A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader.

💣 ScareCrow Available Options

-I string
    Path to the raw 64-bit shellcode.
-Loader string
    Sets the type of process that will sideload the malicious payload:
    [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading).
    [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
-etw
    Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. 
-sandbox
    Enables sandbox evasion using IsDomainedJoined calls.

📥 Clone the Project

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

chmod +x install.sh
./install.sh

🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";

#Path to the python3 binary.
$python3 = "/usr/bin/python3";

💀 Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

References

https://github.com/optiv/ScareCrow

🔨 More options and work still in progress...

Comments

not sure where to go from .bins

so every payload is a .bin for me except the dll that doesnt work for me.
dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

screenshots.docx
invalid

opened by tgelliott196 8
Enhancement
hey, nice code over there ! i just wanted to add one more silly feature: if u can generate the bin file using this code, then u can try generating the shellcode ;p try this tinny code: using python 2

import sys if len(sys.argv) < 2: print "usage: %s file.bin\n" % (sys.argv[0],) sys.exit(0) shellcode = "\"" ctr = 1 for b in open(sys.argv[1], "rb").read(): shellcode += "\\x" + b.encode("hex") shellcode += "\"" print shellcode

and if it worked u can add it to the repo . have a good one !

and thanks for the code again, be sure ill use it
invalid
opened by ORCA666 5
Can't find compiled ScareCrow Go executable
Describe the bug I clone and install ScareCrow followed by your introduction, but when I finished all, I can't find compiled ScareCrow Go executable in the right path.

To Reproduce Steps to reproduce the behavior:

cd CSAgent

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

cd ScareCrow-CobaltStrike

chmod +x install.sh

.../install.sh ...installing...

cd ScareCrow

ls

See error

Expected behavior I should find ScareCrow Go executable in my path, but it did't appear

Screenshots

Desktop (please complete the following information):

OS: Ubuntu 18.04.6 LTS in VMware operating on macOS Monterey Version12.4

CSAgent4.4( maybe this information is useless)

invalid
opened by Doublefire-Chen 3
Wrong path

I found the bug.... and why I was thinking that the dll/bin was not generated when in fact it was.... the message says the generated dll/bin is stored in the same directory where the generated shellcode is saved but is actually stored in the CS folder.

But everything working fine beside the wrong path is notified... Thanks :)
invalid

opened by TH3xACE 0
Thoughts on Adding Mangle

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

Describe the solution you'd like A clear and concise description of what you want to happen. Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. bash file?

Additional context Add any other context or screenshots about the feature request here.

opened by ceramic-skate0 1

Releases(4.1)

4.1(Apr 23, 2022)

Optimizations mainly.
Source code(tar.gz)
Source code(zip)
v1.2(Mar 27, 2022)

Update with ScareCrow v4.0
Source code(tar.gz)
Source code(zip)
v1.1(Jan 22, 2022)

Normalization with ScareCrow.
Source code(tar.gz)
Source code(zip)
v1.0(Sep 24, 2021)

All options are included and tested with all the latest software, Cobalt Strike and ScareCrow.
Source code(tar.gz)
Source code(zip)

Owner

UserX

Breaking stuff until they work (̿▀̿ ̿Ĺ̯̿̿▀̿ ̿)̄

GitHub Repository

simple subdomain finder

Subdomain-finder Simple SubDomain finder using python which is easy to use just download and run it Wordlist you can use your own wordlist but here i

5 Sep 24, 2021

PetrickScanner is a simple Python OOP TCP Port Scanner

PetrickScanner PetrickScanner is a simple Python OOP TCP Port Scanner Functions Python TCP Port Scanner DNS Resolver Random Scanner PLEASE ANY PROBLEM

11 Nov 30, 2021

snappi-trex is a snappi plugin that allows executing scripts written using snappi with Cisco's TRex Traffic Generator

snappi-trex snappi-trex is a snappi plugin that allows executing scripts written using snappi with Cisco's TRex Traffic Generator Design snappi-trex c

14 Sep 07, 2022

Easy to use gRPC-web client in python

pyease-grpc Easy to use gRPC-web client in python Tutorial This package provides a requests like interface to make calls to gRPC-Web servers.

4 Dec 03, 2022

Docker container for demoing Wi-Fi calling stack.

VoWiFiLocalDemo - Docker container that runs StrongSwan and Kamailio to demonstrate how Wi-Fi calling works on smartphones.

18 Nov 12, 2022

An ansible playbook to set up wireguard server.

Poor man's VPN (pay for only what you need) An ansible playbook to quickly set up Wireguard server for occasional personal use. It takes around five m

613 Dec 25, 2022

mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server.

1.3k Jan 05, 2023

NSX-T infrastructure as code - SDDC deployment

Deploy NSX-T Infrastructure - Simple Topology by Nicolas MICHEL @vpackets / LinkedIn Introduction The purpose of this entire repository is to automate

21 Nov 28, 2022

syncio: asyncio, without await

syncio: asyncio, without await asyncio can look very intimidating to newcomers, because of the async/await syntax. Even experienced programmers can ge

10 Nov 21, 2022

A Python server and client app that tracks player session times and server status

MC Outpost A Python server and client application that tracks player session times and server status About MC Outpost provides a session graph and ser

0 Jul 23, 2021

Query protocol and response

whois Query protocol and response _MᵃˢᵗᵉʳBᵘʳⁿᵗ_ _ ( ) _ ( )( ) _ | | ( ) | || |__ _ (_) ___ | | | | | || _ `\ /'_`\ | |/',__) |

4 Sep 05, 2021

Visualize the electric field of a point charge network.

ElectriPy ⚡ Visualize the electric field of a point charges network. 🔌 Installation Install ElectriPy package: $ pip install electripy You are all d

29 Aug 29, 2022

Converts Cisco formatted MAC Addresses to PC formatted MAC Addresses

Cisco-MAC-to-PC-MAC Converts a file with a list of Cisco formatted MAC Addresses to PC formatted MAC Addresses... Ex: abcd.efgh.ijkl to AB:CD:EF:GH:I

0 Jan 04, 2022

Simple DNS resolver for asyncio

Simple DNS resolver for asyncio aiodns provides a simple way for doing asynchronous DNS resolutions using pycares. Example import asyncio import aiodn

471 Dec 27, 2022

Wifi-jammer - Continuously perform deauthentication attacks on all detectable stations

wifi-jammer Continuously perform deauthentication attacks on all detectable stat

14 Nov 03, 2022

Roadster - Distance to Closest Road Feature Server

Roadster: Distance to Closest Road Feature Server Milliarium Aerum, the zero of

4 May 23, 2022

This is a Client-Server-System which can send audio from a microphone from the server to client and in the other direction.

Audio-Streaming-Python This is a Client-Server-System which can send audio from a microphone from the server to client and in the other direction. You

0 Jan 05, 2023

PoC code for stealing the WiFi password of a network with a Lovebox IOT device connected

LoveBoxer PoC code for stealing the WiFi password of a network with a Lovebox IOT device connected. This PoC was is what I used in this blogpost Usage

10 May 24, 2022

Slowloris is basically an HTTP Denial of Service attack that affects threaded servers.

slowrise-ddos-tool What is Slowloris? Slowloris is basically an HTTP Denial of S

4 Jun 19, 2022

Qtas（Quite a Storage）is an experimental distributed storage system developed by Q-team in BJFU Advanced Computer Network sources.

Qtas（Quite a Storage）is a experimental distributed storage system developed by Q-team in BJFU Advanced Computer Network sources.

3 Jan 12, 2022