Offensive Security Tool: Shad0w

by | Jan 8, 2021 | Tools

Post Views: 5,802

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

 



Reading Time: 5 Minutes

Offensive Security Tool: Shad0w

GitHub Link

 

SHAD0W is a modular C2 framework designed to successfully operate on mature environments.

It will use a range of methods to evade EDR and AV while allowing the operator to continue using tooling an tradecraft they are familiar with. Its powered by Python 3.8 and C, using Donut for payload generation. By using Donut along side the process injection capabilities of SHAD0W it gives the operator the ability to execute .NET assemblies, EXEs, DLLs, VBS, JS or XSLs fully inside memory. Dynamically resolved syscalls are heavily used to avoid userland API hooking, anti DLL injection to make it harder for EDR to load code into the beacons and official Microsoft mitigation methods to protect spawn processes.

 



Main features of the SHAD0W C2 are:

  • Built For Docker – It runs fully inside docker allowing cross platform usage.
  • Live Proxy & Mirror – The C2 server is able to mirror any website in real time, relaying all non C2 traffic to that site making it look less subject when viewed in a web browser.
  • HTTPS C2 Communication – All traffic between beacons and the C2 will be encrypted and transmitted over HTTPS.
  • Modern CLI – The CLI is built on prompt-toolkit
  • JSON Based Protocol – Custom beacons are able to built and used easily with an easy to implement protocol.
  • Extremely Modular – Easy to create new modules to interact and task beacons.

 



Main features of SHAD0W beacons are:

  • Shellcode, EXE, Powershell & More – Beacons can be generated and used in many different formats.
  • Process Injection – Allowing you to migrate, shinject, dllinject and more.
  • Bypass AV – Payloads are frequently updated to evade common Anti-Virus products.
  • Highly configurable – Custom jitters, user agents and more.
  • Proxy Aware – All callbacks will use the current system proxy.
  • HTTPS C2 Communication – Traffic to and from the C2 is encrypted via HTTPS.

 



Current Modules:

  • GhostPack – With the binaries compiled nightly via an Azure pipeline. Thanks to @Flangvik
  • Unmanaged Powershell – With built in AMSI bypass.
  • Ghost In The Logs – Disable ETW & Sysmon, more info can be found here
  • Elevate – Built in PrivEsc exploits.
  • SharpSocks – Reverse socks proxy over HTTPS.
  • SharpCollection – A ton of .NET offensive tools, more info can be found here
  • Mimikatz – For all your credential theft needs.
  • Upload & Download – Easy data exfiltration.
  • StdAPI – Common commands to interact with the file system.

 

 

Install:

$ git clone --recurse-submodules https://github.com/bats3c/shad0w.git && cd shad0w
$ sudo ./shad0w install

Usage:

https://blog.dylan.codes/shad0w/

 



Share This