ScareCrow - Payload creation framework designed around EDR bypass.
-Exec
that can be used for any type (.exe, cpl. dll, js)-encryptionmode
command line argument to choose either RC4, LZMA, or AES encryption for the Shellcode-obfu
command line argument to toggle the -literals flag on Garble-Evasion
command line argument to choose the type of EDR unhooking technique-clone
command line argument to clone a certificate from a file-outpath
to put the final Payload/Loader in a specific path once it's compiled-console
is called with other options-noamsi
command option to not patch AMSI.-sha256
command to list the sha256 hash of the loaders.-O
is not defined with WScript and Excel loaders.-unmodified
command line breaking.-noetw
and -noamsi
-noetw
to not patch ETW. This replaces the -etw
function.-nosleep
to remove the sleep timer if needed.-domain
option against any Defender-based product.Implemented a B64 string function for all Loaders and Jscript files that randomizes the maximum number of characters a variable can hold of Base64 encoded shellcode. This function breaks the string up into multiple strings that are then recompiled together. This should help any signatures for suspicious base64 strings.