You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Go to file
batsec d35b9dc743
Merge pull request #100 from KoelhoSec/patch-1
2 years ago
.bridge added ls command 3 years ago
beacon fixed possible writing wchar to char issue 2 years ago
bin changed to .keep for consistency 3 years ago
certs initial commit 3 years ago
exploits Grammar 2 years ago
lib Merge pull request #98 from equation-group/patch-3 2 years ago
modules/windows Grammar 2 years ago
rules added new rule 3 years ago
scripts added unmanaged powershell 3 years ago
.gitattributes Update .gitattributes 3 years ago
.gitignore ignore files 3 years ago
.gitmodules Added SharpCollection as an submodule 🔥 3 years ago
Dockerfile Update Dockerfile 2 years ago
LICENSE Create LICENSE 3 years ago
Makefile initial commit 3 years ago Update 2 years ago
TODO Grammar 2 years ago Fix dependencies for installer 2 years ago
requirements.txt Alphabetized and removed stale code. 2 years ago
shad0w Added a dev option to streamline development inside docker container 2 years ago
shad0w.png replaced logo 3 years ago tidy code up 2 years ago

Project Status


shad0w logo

SHAD0W is a modular C2 framework designed to successfully operate on mature environments.

It uses a range of methods to evade EDR and AV while allowing the operator to continue using tooling and tradecraft they are familiar with. Its powered by Python 3.8 and C, and uses Donut for payload generation. By using Donut along with the process injection capabilities of SHAD0W, it provides the operator the ability to execute .NET assemblies, DLLs, EXEs, JS, VBS or XSLs fully inside memory. Dynamically resolved syscalls are heavily used to avoid userland API hooking, anti DLL injection to make it harder for EDR to load code into the beacons and official Microsoft mitigation methods to protect spawn processes.

See the wiki for installation and usage instructions.

Main features of SHAD0W C2:

  • Built for Docker - Runs fully inside of Docker allowing cross platform usage
  • Extremely modular - Easy to create new modules to interact and task beacons
  • HTTPS C2 communication - All traffic between beacons and the C2 are encrypted and transmitted over HTTPS
  • JSON based protocol - Custom beacons are able to be built and used with an easy to implement protocol
  • Live proxy and mirror - The C2 server is able to mirror any website in real time, relaying all non C2 traffic to that site, making it look less subject when viewed in a web browser
  • Modern CLI - The CLI is built on prompt-toolkit

Main features of SHAD0W beacons:

  • EXE, PowerShell, shellcode and more - Beacons can be generated and used in many different formats
  • Process injection - Allows the operator to dllinject, migrate, shinject and more
  • Bypass AV - Payloads are frequently updated to evade common Anti-Virus products
  • Highly configurable - Custom jitters, user agents and more
  • HTTPS C2 communication - Traffic to and from the C2 is encrypted via HTTPS
  • Proxy aware - All callbacks can use the current system proxy

Current Modules:

  • Elevate - Built in PrivEsc exploits
  • Ghost in the Logs - Disable ETW & Sysmon, more info can be found here
  • GhostPack - Binaries compiled nightly via an Azure pipeline. Thanks to @Flangvik
  • Mimikatz - For all your credential theft needs
  • SharpCollection - A ton of .NET offensive tools, more info can be found here
  • SharpSocks - Reverse SOCKS proxy over HTTPS
  • StdAPI - Common commands to interact with the file system
  • Unmanaged PowerShell - Contains built in AMSI bypass
  • Upload and Download - Easy data exfiltration

Official Discord

Porchetta Industries