Cobalt Strike script for ScareCrow payloads

Last update: Dec 11, 2022

Related tags

Overview

🎃 🌽 ScareCrow Cobalt Strike intergration CNA

A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader.

💣 ScareCrow Available Options

-I string
    Path to the raw 64-bit shellcode.
-Loader string
    Sets the type of process that will sideload the malicious payload:
    [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading).
    [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
-etw
    Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. 
-sandbox
    Enables sandbox evasion using IsDomainedJoined calls.

📥 Clone the Project

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

chmod +x install.sh
./install.sh

🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";

#Path to the python3 binary.
$python3 = "/usr/bin/python3";

💀 Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

References

https://github.com/optiv/ScareCrow

🔨 More options and work still in progress...

Comments

not sure where to go from .bins

so every payload is a .bin for me except the dll that doesnt work for me.
dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

screenshots.docx
invalid

opened by tgelliott196 8
Enhancement
hey, nice code over there ! i just wanted to add one more silly feature: if u can generate the bin file using this code, then u can try generating the shellcode ;p try this tinny code: using python 2

import sys if len(sys.argv) < 2: print "usage: %s file.bin\n" % (sys.argv[0],) sys.exit(0) shellcode = "\"" ctr = 1 for b in open(sys.argv[1], "rb").read(): shellcode += "\\x" + b.encode("hex") shellcode += "\"" print shellcode

and if it worked u can add it to the repo . have a good one !

and thanks for the code again, be sure ill use it
invalid
opened by ORCA666 5
Can't find compiled ScareCrow Go executable
Describe the bug I clone and install ScareCrow followed by your introduction, but when I finished all, I can't find compiled ScareCrow Go executable in the right path.

To Reproduce Steps to reproduce the behavior:

cd CSAgent

git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

cd ScareCrow-CobaltStrike

chmod +x install.sh

.../install.sh ...installing...

cd ScareCrow

ls

See error

Expected behavior I should find ScareCrow Go executable in my path, but it did't appear

Screenshots

Desktop (please complete the following information):

OS: Ubuntu 18.04.6 LTS in VMware operating on macOS Monterey Version12.4

CSAgent4.4( maybe this information is useless)

invalid
opened by Doublefire-Chen 3
Wrong path

I found the bug.... and why I was thinking that the dll/bin was not generated when in fact it was.... the message says the generated dll/bin is stored in the same directory where the generated shellcode is saved but is actually stored in the CS folder.

But everything working fine beside the wrong path is notified... Thanks :)
invalid

opened by TH3xACE 0
Thoughts on Adding Mangle

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

Describe the solution you'd like A clear and concise description of what you want to happen. Can compiled product be run thru https://github.com/optiv/Mangle at end of work flow?

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. bash file?

Additional context Add any other context or screenshots about the feature request here.

opened by ceramic-skate0 1

Releases(4.1)

4.1(Apr 23, 2022)

Optimizations mainly.
Source code(tar.gz)
Source code(zip)
v1.2(Mar 27, 2022)

Update with ScareCrow v4.0
Source code(tar.gz)
Source code(zip)
v1.1(Jan 22, 2022)

Normalization with ScareCrow.
Source code(tar.gz)
Source code(zip)
v1.0(Sep 24, 2021)

All options are included and tested with all the latest software, Cobalt Strike and ScareCrow.
Source code(tar.gz)
Source code(zip)

Owner

UserX

Breaking stuff until they work (̿▀̿ ̿Ĺ̯̿̿▀̿ ̿)̄

GitHub Repository

TsuserverMoS - A Python-based server for Attorney Online,

tsuserverMoS A Python-based server for Attorney Online, forked from RealKaiser/tsuserverCC Requires Python 3.7+ and PyYAML. Changes/additions from tsu

1 Dec 30, 2021

An open source bias lighting program which syncs up colored lights to the contents of your screen.

About Firelight Firelight is an open source bias lighting program which syncs up colored lights to the contents of your screen or TV, providing an imm

18 Dec 18, 2022

A simple and lightweight server that allows clients to connect and launch a shell remotely through a browser.

carrotsh A simple and lightweight server that allows clients to connect and launch a shell remotely through a browser. Uses xterm.js for the frontend

31 Dec 27, 2022

Ping Verification Python Script

Python Script Port Scanner Script WHAT IS IT? Port scanner script using Python. HOW IT WORKS Once the script has been executed, it will request the ta

0 Dec 12, 2021

A simple python script to send cute messages to my boyfriend.

Morning Messages A simple python script to send cute messages to my boyfriend. It gives him the weather and news currently. Installation git clone htt

3 Oct 12, 2022

A repository to spoof ARP table of any devices and successfully establish Man in the Middle(MITM) attack using Python3 in Linux

arp_spoofer A repository to spoof ARP table of any devices and successfully establish Man in the Middle(MITM) attack using Python3 in Linux Usage: git

1 Oct 30, 2021

The OUCH Project - OUCH Server/Client

This software simulates OUCH Server/Client communication through a script which initialises a central server and another script which simulates clients connecting to the server.

2 Dec 10, 2022

IoT owl is light face detection and recognition system made for small IoT devices like raspberry pi.

IoT Owl IoT owl is light face detection and recognition system made for small IoT devices like raspberry pi. Versions Heavy with mask detection withou

6 Jun 06, 2022

🔥 Minimal performant package to asynchronously make GET requests.

Minimal performant package to asynchronously make GET requests without any dependencies other than asyncio.

1 Jun 01, 2022

Caching for HTTPX

Caching for HTTPX. Note: Early development / alpha, use at your own risk. This package adds caching functionality to HTTPX Adapted from Eric Larson's

0 Oct 08, 2022

Geowifi 📡 💘 🌎 Search WiFi geolocation data by BSSID and SSID on different public databases.

441 Dec 23, 2022

Wifijammer - Continuously jam all wifi clients/routers

wifijammer Continuously jam all wifi clients and access points within range. The effectiveness of this script is constrained by your wireless card. Al

3.5k Dec 31, 2022

With the use of this tool, you can change your MAC address

Akshat0404/MAC_CHANGER This tool has to be used on linux kernel. Now o

1 Jan 25, 2022

Using AWS's API Gateway + Lambda + Python to run a simple websocket application. For learning/testing

Using AWS's API Gateway + Lambda + Python to run a simple websocket application. For learning/testing. The AWS Resources seemed overly complex and were missing some critical gotchas in setting up a s

15 Dec 23, 2022

A great python/java dynamic DNS service for NameSilo, with log, email reminder...

English NameSilo DDNS is a DDNS service for NameSilo domain names for home broadband , it can automatically detect IP changes in home broadband

77 Dec 28, 2022

A simple GitHub Action that physically puts your senses on alert when your build/release fails

GH Release Paniker A simple GitHub Action that physically puts your senses on alert when your build/release fails Usage Requirements: Raspberry Pi, LE

5 Dec 20, 2021

A simple electrical network analyzer, BASED ON computer-aided design.

Electrical Network Analyzer A simple electrical network analyzer. Given the oriented graph of the electrical network (circut), BASED ON computer-aided

4 Oct 15, 2022

wireguard-config-benchmark is a python script that benchmarks the download speeds for the connections defined in one or more wireguard config files

wireguard-config-benchmark is a python script that benchmarks the download speeds for the connections defined in one or more wireguard config files. If multiple configs are benchmarked it will output

12 May 07, 2022

Tripwire monitors ports and icmp to send the admin a message if somebody is scanning a machine that shouldn't be touched

3 Apr 05, 2022

forward several ports into a single port

port forwarding Multi-Input-Single-Output forward several ports into a single one this tool forwards packets from several ports into one single port.

3 Sep 11, 2021