Cobalt Strike script for ScareCrow payloads

Related tags

NetworkingScareCrow-CobaltStrike
Overview

πŸŽƒ 🌽 ScareCrow Cobalt Strike intergration CNA

A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader.

πŸ’£ ScareCrow Available Options

-I string
    Path to the raw 64-bit shellcode.
-Loader string
    Sets the type of process that will sideload the malicious payload:
    [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading).
    [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
-etw
    Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. 
-sandbox
    Enables sandbox evasion using IsDomainedJoined calls.

πŸ“₯ Clone the Project

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

chmod +x install.sh
./install.sh

πŸ”§ Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";

#Path to the python3 binary.
$python3 = "/usr/bin/python3";

πŸ’€ Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

References

https://github.com/optiv/ScareCrow

πŸ”¨ More options and work still in progress...

Comments
  • not sure where to go from .bins

    not sure where to go from .bins

    so every payload is a .bin for me except the dll that doesnt work for me.
    dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

    screenshots.docx

    invalid 
    opened by tgelliott196 8
  • Enhancement

    Enhancement

    hey, nice code over there ! i just wanted to add one more silly feature: if u can generate the bin file using this code, then u can try generating the shellcode ;p try this tinny code: using python 2

    import sys

if len(sys.argv) < 2:
	print "usage: %s file.bin\n" % (sys.argv[0],)
	sys.exit(0)

shellcode = "\""
ctr = 1


for b in open(sys.argv[1], "rb").read():
	shellcode += "\\x" + b.encode("hex")
shellcode += "\""
print shellcode

    and if it worked u can add it to the repo . have a good one !

    and thanks for the code again, be sure ill use it

    invalid 
    opened by ORCA666 5
  • Can't find compiled ScareCrow Go executable

    Can't find compiled ScareCrow Go executable

    Describe the bug I clone and install ScareCrow followed by your introduction, but when I finished all, I can't find compiled ScareCrow Go executable in the right path.

    To Reproduce Steps to reproduce the behavior:

    1. cd CSAgent
    2. git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git
    3. cd ScareCrow-CobaltStrike
    4. chmod +x install.sh
    5. .../install.sh ...installing...
    6. cd ScareCrow
    7. ls
    8. See error

    Expected behavior I should find ScareCrow Go executable in my path, but it did't appear

    Screenshots Screen Shot 2022-06-05 at 19 29 52

    Desktop (please complete the following information):

    • OS: Ubuntu 18.04.6 LTS in VMware operating on macOS Monterey Version12.4
    • CSAgent4.4( maybe this information is useless)
    invalid 
    opened by Doublefire-Chen 3
  • Wrong path

    Wrong path

    I found the bug.... and why I was thinking that the dll/bin was not generated when in fact it was.... the message says the generated dll/bin is stored in the same directory where the generated shellcode is saved but is actually stored in the CS folder.

    But everything working fine beside the wrong path is notified... Thanks :)

    invalid 
    opened by TH3xACE 0
  • Thoughts on Adding Mangle

    Thoughts on Adding Mangle

    Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe the solution you'd like A clear and concise description of what you want to happen. Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

    Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. bash file?

    Additional context Add any other context or screenshots about the feature request here.

    opened by ceramic-skate0 1
Releases(4.1)
Owner
UserX
Breaking stuff until they work (̿▀̿ ̿Ĺ̯̿̿▀̿ ΜΏ)Μ„
UserX
GitHub Repository
A pretty quick and simple interface to paramiko SFTP

A pretty quick and simple interface to paramiko SFTP. Provides multi-threaded routines with progress notifications for reliable, asynchronous transfers. This is a Python3 optimized fork of pysftp wit

14 Dec 21, 2022
Mass Reverse IP Dibuat Dengan Python 3 Dan Ada Fitur Filter.

Reverse IP Tools Description. Reverse IP is a method to map an IP address to a sub domain. This tool is made in the python 3 programming language. Fea

Wan Naz ID 6 Oct 24, 2022
CORS Bypass Proxy Cloud Function

CORS Bypass Proxy Cloud Function

Elayamani K 1 Oct 23, 2021
Official ProtonVPN Linux app

ProtonVPN Linux App Copyright (c) 2021 Proton Technologies AG This repository holds the ProtonVPN Linux App. For licensing information see COPYING. Fo

ProtonVPN 288 Jan 01, 2023
A Simple Web Server made by Python3.

A Simple Web Server made by Python3.

GGN_2015 2 Nov 27, 2021
ProxyBroker is an open source tool that asynchronously finds public proxies from multiple sources and concurrently checks them

ProxyBroker is an open source tool that asynchronously finds public proxies from multiple sources and concurrently checks them. Features F

Denis 3.2k Jan 04, 2023
A library for interacting with APNs and VoIP using HTTP/2.

kalyke A library for interacting with APNs and VoIP using HTTP/2. Installation kalyke requires python 3.6 or later. $ pip install kalyke-apns Usage AP

Yuya Oka 11 Dec 08, 2022
A Scapy implementation of SMS-SUBMIT and (U)SIM Application Toolkit command packets.

A Scapy implementation of SMS-SUBMIT and (U)SIM Application Toolkit command packets.

mnemonic 83 Dec 11, 2022
A library of functions that can be used to manage the download of claims from the LBRY network.

lbrytools A library of functions that can be used to manage the download of claims from the LBRY network. It includes methods to download claims by UR

13 Dec 03, 2022
jarbou3 is rat tool coded in python with C&C which can accept multiple connections from clients

jarbou3 Jarbou3 is rat tool with coded in python with C&C which can accept multi

youhacker55 108 Dec 29, 2022
This tool will scans your wi-fi/wlan and show you the connected clients

This tool will scans your wi-fi/wlan and show you the connected clients

VENKAT SAI SAGAR 3 Mar 24, 2022
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

Cybersecurity and Infrastructure Security Agency 1.3k Jan 08, 2023
Exfiltrate files using the HTTP protocol version ("HTTP/1.0" is a 0 and "HTTP/1.1" is a 1)

http-protocol-exfil Use the HTTP protocol version to send a file bit by bit ("HTTP/1.0" is a 0 and "HTTP/1.1" is a 1). It uses GET requests so the Blu

Ricardo Ruiz 23 Apr 30, 2022
Heroku Cloudflare App Domain

Heroku Cloudflare App Domain Creating branded herokuapp.com-like domains using Cloudflare, based on the app name (eg my-app-prod.example.com). Feature

Torchbox 2 Oct 04, 2022
IoT owl is light face detection and recognition system made for small IoT devices like raspberry pi.

IoT Owl IoT owl is light face detection and recognition system made for small IoT devices like raspberry pi. Versions Heavy with mask detection withou

Ret2Me 6 Jun 06, 2022
Roadster - Distance to Closest Road Feature Server

Roadster: Distance to Closest Road Feature Server Milliarium Aerum, the zero of

Textualization Software Ltd. 4 May 23, 2022
Mini SCADA. Poll modbus devices by TCP/IP network.

Plans Add saving and loading devices and channels with files or db or someone else. Multitasking system for poll all devices Automatic optimization po

Efi_fi 1 Oct 25, 2021
MS Iot Device Can Platform

Kavo MS IoT Platform Version: 2.0 Author: Luke Garceau Requirements Read CAN messages in real-time Convert the given variables to engineering useful v

Luke Garceau 1 Oct 13, 2021
A python shell / chat bot for XMPP and cloud services

XMPP_Shell_Bot A python shell / chat bot for XMPP and cloud services, designed for penetration testers to bypass network filters. To better understand

Abdulkareem Aldeek 1 Jan 09, 2022
Ip-Tracker: a script written in python for tracking Someone using targets ip-Tracker address

πŸ”° 𝕀𝕑-π•‹π•£π•’π•”π•œπ•–π•£ πŸ”° Ip-Tracker is a script written in python for tracking Someone using targets ip-Tracker address It was made by Spider Anongre

Spider Anongreyhat 15 Dec 02, 2022