Cobalt Strike script for ScareCrow payloads

Last update: Dec 11, 2022

Related tags

Overview

🎃 🌽 ScareCrow Cobalt Strike intergration CNA

A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader.

💣 ScareCrow Available Options

-I string
    Path to the raw 64-bit shellcode.
-Loader string
    Sets the type of process that will sideload the malicious payload:
    [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading).
    [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
-etw
    Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. 
-sandbox
    Enables sandbox evasion using IsDomainedJoined calls.

📥 Clone the Project

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

chmod +x install.sh
./install.sh

🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";

#Path to the python3 binary.
$python3 = "/usr/bin/python3";

💀 Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

References

https://github.com/optiv/ScareCrow

🔨 More options and work still in progress...

Comments

not sure where to go from .bins

so every payload is a .bin for me except the dll that doesnt work for me.
dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

screenshots.docx
invalid

opened by tgelliott196 8
Enhancement
hey, nice code over there ! i just wanted to add one more silly feature: if u can generate the bin file using this code, then u can try generating the shellcode ;p try this tinny code: using python 2

import sys if len(sys.argv) < 2: print "usage: %s file.bin\n" % (sys.argv[0],) sys.exit(0) shellcode = "\"" ctr = 1 for b in open(sys.argv[1], "rb").read(): shellcode += "\\x" + b.encode("hex") shellcode += "\"" print shellcode

and if it worked u can add it to the repo . have a good one !

and thanks for the code again, be sure ill use it
invalid
opened by ORCA666 5
Can't find compiled ScareCrow Go executable
Describe the bug I clone and install ScareCrow followed by your introduction, but when I finished all, I can't find compiled ScareCrow Go executable in the right path.

To Reproduce Steps to reproduce the behavior:

cd CSAgent

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

cd ScareCrow-CobaltStrike

chmod +x install.sh

.../install.sh ...installing...

cd ScareCrow

ls

See error

Expected behavior I should find ScareCrow Go executable in my path, but it did't appear

Screenshots

Desktop (please complete the following information):

OS: Ubuntu 18.04.6 LTS in VMware operating on macOS Monterey Version12.4

CSAgent4.4( maybe this information is useless)

invalid
opened by Doublefire-Chen 3
Wrong path

I found the bug.... and why I was thinking that the dll/bin was not generated when in fact it was.... the message says the generated dll/bin is stored in the same directory where the generated shellcode is saved but is actually stored in the CS folder.

But everything working fine beside the wrong path is notified... Thanks :)
invalid

opened by TH3xACE 0
Thoughts on Adding Mangle

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

Describe the solution you'd like A clear and concise description of what you want to happen. Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. bash file?

Additional context Add any other context or screenshots about the feature request here.

opened by ceramic-skate0 1

Releases(4.1)

4.1(Apr 23, 2022)

Optimizations mainly.
Source code(tar.gz)
Source code(zip)
v1.2(Mar 27, 2022)

Update with ScareCrow v4.0
Source code(tar.gz)
Source code(zip)
v1.1(Jan 22, 2022)

Normalization with ScareCrow.
Source code(tar.gz)
Source code(zip)
v1.0(Sep 24, 2021)

All options are included and tested with all the latest software, Cobalt Strike and ScareCrow.
Source code(tar.gz)
Source code(zip)

Owner

UserX

Breaking stuff until they work (̿▀̿ ̿Ĺ̯̿̿▀̿ ̿)̄

GitHub Repository

Start a simple TCP Listener on a specified IP Address and Port Number and receive incoming connections.

About Start a simple TCP Listener on a specified IP Address and Port Number and receive incoming connections. Download Clone using git in terminal(git

5 Feb 24, 2022

9SPY: a Windows RAT built in Python using sockets

9SPY 👁‍🗨 9SPY is a Windows RAT built in Python using sockets Features Features will be listed here soon, there are currenly 14 Information This is a

12 Dec 01, 2022

This is an open project to maintain a list of domain names that serve YouTube ads

The YouTube ads blocklist project This is an open project to maintain a list of domain names that serve YouTube ads. The original project only produce

574 Dec 30, 2022

A simple Tor switcher script switches tor nodes in interval of time

Tor_Switcher A simple Tor switcher script switches tor nodes in interval of time This script will switch tor nodes in every interval of time that you

2 Nov 15, 2021

Build surface water network for MODFLOW's SFR Package

Surface water network Creates surface water network, which can be used to create MODFLOW's SFR. Python packages Python 3.6+ is required. Required geop

20 Nov 22, 2022

Python Scripts for Cisco Identity Services Engine (ISE)

A set of Python scripts to configure a freshly installed Cisco Identity Services Engine (ISE) for simple operation; in my case, a basic Cisco Software-Defined Access environment.

9 Jul 19, 2022

A socket script to obtain chinese phones-sequence for any english word

Foreign Pronunciation Generator (English-Chinese) We provide a simple socket script for acquiring Chinese pronunciation of English words (phones in ai

5 Jul 25, 2022

A tiny end-to-end latency testing tool implemented by UDP protocol in Python 📈 .

udp-latency A tiny end-to-end latency testing tool implemented by UDP protocol in Python 📈 . Features Compare with other existing latency testing too

5 Dec 02, 2022

ExtDNS synchronizes labeled records in docker-compose with DNS providers.

ExtDNS for docker-compose ExtDNS synchronizes labeled records in docker-compose with DNS providers. Inspired by External DNS, ExtDNS makes resources d

6 Dec 24, 2022

stellar-add-guest is a small tool to generate a new guest for Stellar Wireless (Enterprise mode) in OmniVista 2500 hosted on OmniSwitch with AOS Release 8

stellar-add-guest is a small tool to generate a new guest for Stellar Wireless (Enterprise mode) in OmniVista 2500 hosted on OmniSwitch with AOS Release 8.

3 Jan 24, 2022

Cobalt Strike script for ScareCrow payloads

Related tags

Overview

🎃 🌽 ScareCrow Cobalt Strike intergration CNA

💣 ScareCrow Available Options

📥 Clone the Project

🏭 Install ScareCrow

🔧 Setup CNA Script Configurations

💀 Add the CNA script to Cobalt Strike

References

🔨 More options and work still in progress...

Comments

not sure where to go from .bins

Enhancement

Can't find compiled ScareCrow Go executable

Wrong path

Thoughts on Adding Mangle

Releases(4.1)

4.1(Apr 23, 2022)

v1.2(Mar 27, 2022)

v1.1(Jan 22, 2022)

v1.0(Sep 24, 2021)

Owner

UserX

Start a simple TCP Listener on a specified IP Address and Port Number and receive incoming connections.

9SPY: a Windows RAT built in Python using sockets

This is an open project to maintain a list of domain names that serve YouTube ads

A simple Tor switcher script switches tor nodes in interval of time

Build surface water network for MODFLOW's SFR Package

Python Scripts for Cisco Identity Services Engine (ISE)

A socket script to obtain chinese phones-sequence for any english word

A tiny end-to-end latency testing tool implemented by UDP protocol in Python 📈 .

ExtDNS synchronizes labeled records in docker-compose with DNS providers.

stellar-add-guest is a small tool to generate a new guest for Stellar Wireless (Enterprise mode) in OmniVista 2500 hosted on OmniSwitch with AOS Release 8

This is a simple python script to collect sub-domains from hackertarget API

An automatic reaction network generator for reactive molecular dynamics simulation.

IoT owl is light face detection and recognition system made for small IoT devices like raspberry pi.

This is a simple python code to get the list of banned IP addresses from Fail2ban

🥑 A Python ARP and DNS Spoofer CLI and INTERFACE 🥓

Una simple herramienta para rastrear IP programada en Python

A simple and lightweight server that allows clients to connect and launch a shell remotely through a browser.

Caching for HTTPX

订阅转换，添加免流host

Simple client for the Sirah Matisse Commander TCP server.