webrtc>> ScareCrow-CobaltStrike>> 返回
项目作者: GeorgePatsias

项目描述 :
Cobalt Strike script for ScareCrow payloads (EDR/AV evasion)
高级语言: Python
项目地址: git://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git
创建时间: 2021-06-24T10:04:01Z
项目社区:https://github.com/GeorgePatsias/ScareCrow-CobaltStrike
开源协议:MIT License
下载








Cobalt Strike ⇌ ScareCrow


(EDR/AV evasion)

EDR unhooking, Syscall loading, ETW/AMSI patch, Process Injection, Signed Loader, AES encrypt



GitHub stars
GitHub forks
GitHub size
GitHub lastcommit



Github twitter

💣 ScareCrow Options

  1. -I string
  2.     Path to the raw 64-bit shellcode.
  3. -Loader string
  4.     Sets the type of process that will sideload the malicious payload:
  5.     [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)
  6.     [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified. A JScript loader will be generated.
  7.     [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
  8.     [*] excel - Loads into a hidden Excel process using a JScript loader.
  9.     [*] msiexec - Loads into MSIexec process using a JScript loader.
  10.     [*] wscript - Loads into WScript process using a JScript loader.
  11. -O string
  12.     Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.
  13. -domain string
  14.     The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) 
  15. -injection string
  16.     Enables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path).
  17. -noamsi
  18.     Disables the AMSI patching that prevents AMSI BuffferScanner.
  19. -noetw
  20.     Disables the ETW patching that prevents ETW events from being generated.
  21. -nosleep
  22.     Disables the sleep delay before the loader unhooks and executes the shellcode.
  23. -sandbox
  24.     Enables sandbox evasion using IsDomainedJoined calls.

📥 Clone the Project

  1. git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git

🏭 Install ScareCrow

Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.

  1. chmod +x install.sh
  2. ./install.sh

🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!

  1. #Path to the ScareCrow-CobaltStrike repository you just cloned.
  2. $script_path = "/home/user/ScareCrow-CobaltStrike";
  4. #Path to the compiled ScareCrow Go executable of the installation.
  5. $scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";

💀 Add the CNA script to Cobalt Strike

Cobalt Strike > Script Manager > Load > Select ScareCrow.cna

You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.

Side notes

  • Run DLLs as following and slightly change the name of the exported DLL
    rundll32 example.dll,DllRegisterServer
    rundll32 example.dll,DllGetClassObject
  • Process Injection field must be defined with a single \ e.g C:\Windows\System32\notepad.exe
  • When signing the loader with microsoft.com, using them against WINDOWS DEFENDER ATP products may not be as effective as they can validate the cert as it belongs to them. If you are using a loader against a windows product possibly use a different domain.

📖 Screenshot

📖 References

"Buy Me A Coffee"