ScareCrow Versions Save

ScareCrow - Payload creation framework designed around EDR bypass.

v5.1

11 months ago

Bug Fixes

  • Fixed issue with the --outpath and the sha256

v5.0

11 months ago

New Features

  • Removed the binary mode template
  • Rebuilt the loader and structure files to be more modular
  • Introduced 4 shellcode templates -Exec that can be used for any type (.exe, cpl. dll, js)
  • Added 2 new encryption methods (RC4 and LZMA)
  • Introduced -encryptionmode command line argument to choose either RC4, LZMA, or AES encryption for the Shellcode
  • Added -obfu command line argument to toggle the -literals flag on Garble
  • Removed IoC for Garble for certain well-known Anti-Malware products
  • Added additional unhook technique KnownDlls
  • Added -Evasion command line argument to choose the type of EDR unhooking technique
  • Added Remote ETW patching for process injection mode
  • Added random extentions for Wscript side-loading
  • Added -clone command line argument to clone a certificate from a file
  • Updated it to be compatible with Go versions 1.19.1 and up

Bug Fixes

  • With the new binary templates, issues with Mythic C2 shellcode should be fixed
  • Fixed IoC with base64 encoding on compiled DLLs
  • Removed IoCs related to some Anti-Malware products
  • Updated help menu & README

v4.11

1 year ago

New Features

  • Added -nosign to disable file signing, making -domain/-valid/-password parameters not required. Shoutout to mgeeky for this feature request.

v4.1

2 years ago

New Features

  • Added -outpath to put the final Payload/Loader in a specific path once it's compiled

Bug Fixes

  • Fixed bug with the binary loaders that caused an occasional crash
  • Fixed duplicate import when -console is called with other options
  • Fixed issue with msiexec loader's with Jscript file extensions
  • Fixed typos in README

v4.01

2 years ago

Bug Fixes

  • Fixed issue with process injection and missing decode function
  • Fixed issue with process injection and binary mode with the -console
  • Fixed process injection Kernelbase typo

v4.0

2 years ago

New Features

  • Introduced AMSI bypass mechanisms to prevent AMSI events from being generated.
  • Added a -noamsi command option to not patch AMSI.
  • Added graphic icons to all binary loaders that match the binary.
  • Added Garble for compiling all loaders.
  • Added a -sha256 command to list the sha256 hash of the loaders.
  • Removed all IoC's for certain well-known Anti-Malware products.
  • Rewrote the shellcode and decrypt function into a library rather than a function in the main file.
  • Updated binary loader method of allocating and executing shellcode.
  • Updated system DLL method from base64 to byte array.
  • Removed _CGO_Dummy_Export From all DLL-based loaders.
  • Removed CGO for compiling binary loaders.

Bug Fixes

  • Fixed bug with certain attributes not properly showing for binary loaders.
  • Fixed code bug with HTA files with WScript, Control, and MSIexec loaders.
  • Fixed Index error for WScript loaders.
  • Added error messaging for when -O is not defined with WScript and Excel loaders.
  • Fixed issue with the -unmodified command line breaking.
  • Updated help menu & README.

Update 03/23/2022 13:22 EST

  • Fixed issue with Base64 and -noetw and -noamsi
  • Fixed Kernelbase typo.

v3.01

2 years ago

Bug Fixes

  • Fixed os import error on binary mode loaders and -sandbox (shoutout to rvrsh3ll for reporting it)

v3.0

2 years ago

New Features

  • ETW is now enabled by default as some EDR's now rely on ETW to help augment detection.
  • Added a -noetw to not patch ETW. This replaces the -etw function.
  • Added additional ETW calls to thoroughly patch all calls to ETW.
  • Added Sleep time prior to hiding binary loaders in the background. (To avoid detection)
  • Added an option -nosleep to remove the sleep timer if needed.
  • Updated the attribute's values for spoofing.
  • Added a new Binary to spoof.
  • Added obfuscation to the DLLs and API being reloaded. (Shout out to Ryan Dorey for the idea)
  • Removed all IoC's related to the Yara rule
  • Added a version check control to ensure ScareCrow is using go version 1.16.1 or later.

Bug Fixes

  • Fixed bug with donut raw shellcode and binary mode
  • Added a double call to patch for ETW, one before the unhooking and one after the unhooking is done.
  • Fixed issue with using valid code-signing.
  • Added an OPsec consideration when using www.microsoft.com as the -domain option against any Defender-based product.
  • Updated help menu & README.

v2.3

2 years ago

Feature

Implemented a B64 string function for all Loaders and Jscript files that randomizes the maximum number of characters a variable can hold of Base64 encoded shellcode. This function breaks the string up into multiple strings that are then recompiled together. This should help any signatures for suspicious base64 strings.

v2.2

2 years ago

Bug Fixes

  • Fixed issue with DLL and CPL loaders not properly breaking up the base64 string. Shoutout to @ralphte1 for reporting this to me.