Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/GeorgePatsias/ScareCrow-CobaltStrike

Cobalt Strike script for ScareCrow payloads intergration (EDR/AV evasion)
https://github.com/GeorgePatsias/ScareCrow-CobaltStrike

bypass-antivirus cobaltstrike-cna control dll edr evasion excel exe msiexec scarecrow wscript

Last synced: 21 days ago
JSON representation

Cobalt Strike script for ScareCrow payloads intergration (EDR/AV evasion)

Host: GitHub
URL: https://github.com/GeorgePatsias/ScareCrow-CobaltStrike
Owner: GeorgePatsias
License: mit
Created: 2021-06-24T10:04:01.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2022-07-15T09:39:18.000Z (over 2 years ago)
Last Synced: 2024-08-05T17:44:44.128Z (4 months ago)
Topics: bypass-antivirus, cobaltstrike-cna, control, dll, edr, evasion, excel, exe, msiexec, scarecrow, wscript
Language: Python
Homepage:
Size: 313 KB
Stars: 452
Watchers: 9
Forks: 70
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - GeorgePatsias/ScareCrow-CobaltStrike - Cobalt Strike script for ScareCrow payloads intergration (EDR/AV evasion) (Python)

README

Cobalt Strike ⇌ ScareCrow

(EDR/AV evasion)

EDR unhooking, Syscall loading, ETW/AMSI patch, Process Injection, Signed Loader, AES encrypt

![GitHub stars](https://img.shields.io/github/stars/GeorgePatsias/ScareCrow-CobaltStrike)
![GitHub forks](https://img.shields.io/github/forks/GeorgePatsias/ScareCrow-CobaltStrike)
![GitHub size](https://img.shields.io/github/languages/code-size/GeorgePatsias/ScareCrow-CobaltStrike)
![GitHub lastcommit](https://img.shields.io/github/last-commit/GeorgePatsias/ScareCrow-CobaltStrike)

![Github twitter](https://img.shields.io/twitter/follow/GeorgePatsias1?label=Follow%20%40%20Twitter&style=social)

### 💣 ScareCrow Options
```bash
-I string
Path to the raw 64-bit shellcode.
-Loader string
Sets the type of process that will sideload the malicious payload:
[*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)
[*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified. A JScript loader will be generated.
[*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
[*] excel - Loads into a hidden Excel process using a JScript loader.
[*] msiexec - Loads into MSIexec process using a JScript loader.
[*] wscript - Loads into WScript process using a JScript loader.
-O string
Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.
-domain string
The domain name to use for creating a fake code signing cert. (e.g. www.acme.com)
-injection string
Enables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path).
-noamsi
Disables the AMSI patching that prevents AMSI BuffferScanner.
-noetw
Disables the ETW patching that prevents ETW events from being generated.
-nosleep
Disables the sleep delay before the loader unhooks and executes the shellcode.
-sandbox
Enables sandbox evasion using IsDomainedJoined calls.
```
## 📥 Clone the Project
```bash
git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git
```

## 🏭 Install ScareCrow

Setup ScareCrow [https://github.com/optiv/ScareCrow](https://github.com/optiv/ScareCrow) just by running the `install.sh` script.
```bash
chmod +x install.sh
./install.sh
```

## 🔧 Setup CNA Script Configurations

Edit the ScareCrow.cna and replace the variables below accordingly. **NOTE!** Do not add the final **/** at the end of the paths!
```
#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";

#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";
```

## 💀 Add the CNA script to Cobalt Strike
`Cobalt Strike > Script Manager > Load > Select ScareCrow.cna`

You will see the new menu item called **ScareCrow** on the top menu of Cobalt Strike.

### Side notes
* Run DLLs as following and slightly change the name of the exported DLL
`rundll32 example.dll,DllRegisterServer`
`rundll32 example.dll,DllGetClassObject`
* Process Injection field must be defined with a single `\` e.g `C:\Windows\System32\notepad.exe`
* When signing the loader with microsoft.com, using them against WINDOWS DEFENDER ATP products may not be as effective as they can validate the cert as it belongs to them. If you are using a loader against a windows product possibly use a different domain.

## 📖 Screenshot

## 📖 References
* [https://github.com/optiv/ScareCrow](https://github.com/optiv/ScareCrow)
* https://adamsvoboda.net/evading-edr-with-scarecrow/

* https://www.optiv.com/insights/source-zero/blog/endpoint-detection-and-response-how-hackers-have-evolved (Part 1)

* https://www.optiv.com/insights/source-zero/blog/edr-and-blending-how-attackers-avoid-getting-caught (Part 2)

[!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/UserX)