Beaconator: generate staged or stageless shellcode and packing the generated shellcode

by do son · Published August 24, 2021 · Updated August 24, 2021

Beaconator

Beaconator is an aggressor script for Cobalt Strike used to generate either staged or stageless shellcode and packing the generated shellcode using your tool of choice.

Currently, it supports the following tools:

Staged Beacon Generator

Alaris: Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow.

Stageless Beacon Generator

PEzor: Open-Source Shellcode & PE Packer
ScareCrow: ScareCrow is a payload creation framework for sideloading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process’s memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute.