Go to file
2021-08-15 15:12:17 +01:00
.bridge added ls command 2020-04-30 21:24:08 +00:00
beacon fixed possible writing wchar to char issue 2021-07-16 04:42:39 +05:30
bin changed to .keep for consistency 2020-06-22 19:37:58 +01:00
certs initial commit 2020-04-28 16:49:12 +00:00
exploits Grammar 2021-01-15 10:15:42 -05:00
lib Merge pull request #98 from equation-group/patch-3 2021-08-13 10:03:45 +01:00
modules/windows Grammar 2021-01-15 13:31:51 -05:00
rules added new rule 2020-06-16 23:50:44 +01:00
scripts added unmanaged powershell 2020-06-18 20:55:46 +01:00
.gitattributes Update .gitattributes 2020-04-28 18:56:37 +00:00
.gitignore ignore files 2020-05-30 17:39:54 +00:00
.gitmodules Added SharpCollection as an submodule 🔥 2020-06-16 14:27:47 -04:00
Dockerfile Update Dockerfile 2021-01-20 10:06:28 +00:00
install.sh Fix dependencies for installer 2021-06-13 16:31:08 -04:00
LICENSE Create LICENSE 2020-04-28 16:44:48 +00:00
Makefile initial commit 2020-04-28 16:49:12 +00:00
README.md Update README.md 2021-08-15 08:10:37 -04:00
requirements.txt Alphabetized and removed stale code. 2021-01-13 17:36:31 -05:00
shad0w Added a dev option to streamline development inside docker container 2021-01-14 13:04:09 -05:00
shad0w.png replaced logo 2020-07-03 15:42:37 +01:00
shad0w.py tidy code up 2021-01-18 22:22:15 +00:00
TODO Grammar 2021-01-11 17:26:53 -06:00

Project Status


shad0w logo

SHAD0W is a modular C2 framework designed to successfully operate on mature environments.

It uses a range of methods to evade EDR and AV while allowing the operator to continue using tooling and tradecraft they are familiar with. Its powered by Python 3.8 and C, and uses Donut for payload generation. By using Donut along with the process injection capabilities of SHAD0W, it provides the operator the ability to execute .NET assemblies, DLLs, EXEs, JS, VBS or XSLs fully inside memory. Dynamically resolved syscalls are heavily used to avoid userland API hooking, anti DLL injection to make it harder for EDR to load code into the beacons and official Microsoft mitigation methods to protect spawn processes.

See the wiki for installation and usage instructions.

Main features of SHAD0W C2:

  • Built for Docker - Runs fully inside of Docker allowing cross platform usage
  • Extremely modular - Easy to create new modules to interact and task beacons
  • HTTPS C2 communication - All traffic between beacons and the C2 are encrypted and transmitted over HTTPS
  • JSON based protocol - Custom beacons are able to be built and used with an easy to implement protocol
  • Live proxy and mirror - The C2 server is able to mirror any website in real time, relaying all non C2 traffic to that site, making it look less subject when viewed in a web browser
  • Modern CLI - The CLI is built on prompt-toolkit

Main features of SHAD0W beacons:

  • EXE, PowerShell, shellcode and more - Beacons can be generated and used in many different formats
  • Process injection - Allows the operator to dllinject, migrate, shinject and more
  • Bypass AV - Payloads are frequently updated to evade common Anti-Virus products
  • Highly configurable - Custom jitters, user agents and more
  • HTTPS C2 communication - Traffic to and from the C2 is encrypted via HTTPS
  • Proxy aware - All callbacks can use the current system proxy

Current Modules:

  • Elevate - Built in PrivEsc exploits
  • Ghost in the Logs - Disable ETW & Sysmon, more info can be found here
  • GhostPack - Binaries compiled nightly via an Azure pipeline. Thanks to @Flangvik
  • Mimikatz - For all your credential theft needs
  • SharpCollection - A ton of .NET offensive tools, more info can be found here
  • SharpSocks - Reverse SOCKS proxy over HTTPS
  • StdAPI - Common commands to interact with the file system
  • Unmanaged PowerShell - Contains built in AMSI bypass
  • Upload and Download - Easy data exfiltration

Official Discord

Porchetta Industries