Go to file

batsec d35b9dc743 Merge pull request #100 from KoelhoSec/patch-1 Update README.md		2021-08-15 15:12:17 +01:00
.bridge	added ls command	2020-04-30 21:24:08 +00:00
beacon	fixed possible writing wchar to char issue	2021-07-16 04:42:39 +05:30
bin	changed to .keep for consistency	2020-06-22 19:37:58 +01:00
certs	initial commit	2020-04-28 16:49:12 +00:00
exploits	Grammar	2021-01-15 10:15:42 -05:00
lib	Merge pull request #98 from equation-group/patch-3	2021-08-13 10:03:45 +01:00
modules/windows	Grammar	2021-01-15 13:31:51 -05:00
rules	added new rule	2020-06-16 23:50:44 +01:00
scripts	added unmanaged powershell	2020-06-18 20:55:46 +01:00
.gitattributes	Update .gitattributes	2020-04-28 18:56:37 +00:00
.gitignore	ignore files	2020-05-30 17:39:54 +00:00
.gitmodules	Added SharpCollection as an submodule 🔥	2020-06-16 14:27:47 -04:00
Dockerfile	Update Dockerfile	2021-01-20 10:06:28 +00:00
LICENSE	Create LICENSE	2020-04-28 16:44:48 +00:00
Makefile	initial commit	2020-04-28 16:49:12 +00:00
README.md	Update README.md	2021-08-15 08:10:37 -04:00
TODO	Grammar	2021-01-11 17:26:53 -06:00
install.sh	Fix dependencies for installer	2021-06-13 16:31:08 -04:00
requirements.txt	Alphabetized and removed stale code.	2021-01-13 17:36:31 -05:00
shad0w	Added a dev option to streamline development inside docker container	2021-01-14 13:04:09 -05:00
shad0w.png	replaced logo	2020-07-03 15:42:37 +01:00
shad0w.py	tidy code up	2021-01-18 22:22:15 +00:00

README.md

SHAD0W

shad0w logo

SHAD0W is a modular C2 framework designed to successfully operate on mature environments.

It uses a range of methods to evade EDR and AV while allowing the operator to continue using tooling and tradecraft they are familiar with. Its powered by Python 3.8 and C, and uses Donut for payload generation. By using Donut along with the process injection capabilities of SHAD0W, it provides the operator the ability to execute .NET assemblies, DLLs, EXEs, JS, VBS or XSLs fully inside memory. Dynamically resolved syscalls are heavily used to avoid userland API hooking, anti DLL injection to make it harder for EDR to load code into the beacons and official Microsoft mitigation methods to protect spawn processes.

See the wiki for installation and usage instructions.

Main features of SHAD0W C2:

Built for Docker - Runs fully inside of Docker allowing cross platform usage
Extremely modular - Easy to create new modules to interact and task beacons
HTTPS C2 communication - All traffic between beacons and the C2 are encrypted and transmitted over HTTPS
JSON based protocol - Custom beacons are able to be built and used with an easy to implement protocol
Live proxy and mirror - The C2 server is able to mirror any website in real time, relaying all non C2 traffic to that site, making it look less subject when viewed in a web browser
Modern CLI - The CLI is built on prompt-toolkit

Main features of SHAD0W beacons:

EXE, PowerShell, shellcode and more - Beacons can be generated and used in many different formats
Process injection - Allows the operator to dllinject, migrate, shinject and more
Bypass AV - Payloads are frequently updated to evade common Anti-Virus products
Highly configurable - Custom jitters, user agents and more
HTTPS C2 communication - Traffic to and from the C2 is encrypted via HTTPS
Proxy aware - All callbacks can use the current system proxy

Current Modules:

Elevate - Built in PrivEsc exploits
Ghost in the Logs - Disable ETW & Sysmon, more info can be found here
GhostPack - Binaries compiled nightly via an Azure pipeline. Thanks to @Flangvik
Mimikatz - For all your credential theft needs
SharpCollection - A ton of .NET offensive tools, more info can be found here
SharpSocks - Reverse SOCKS proxy over HTTPS
StdAPI - Common commands to interact with the file system
Unmanaged PowerShell - Contains built in AMSI bypass
Upload and Download - Easy data exfiltration

README.md

SHAD0W

Official Discord