ScareCrow
Featured🔥 Offensive Ops · Go
ScareCrow is a payload creation framework designed to generate loaders that bypass Endpoint Detection and Response (EDR) products. It uses direct Windows system calls instead of standard WinAPI calls, avoiding the userland hooks that EDR products use for detection. ScareCrow supports multiple loader types (DLL sideloading, binary, JScript, HTA), code signing with spoofed certificates, and integration with shellcode generators like Donut. It represents the current state of the art in EDR evasion.
Use Cases
- Generating EDR-evading payload loaders
- Direct syscall execution to bypass hooks
- Code signing with spoofed certificates
- DLL sideloading payload delivery
- Testing EDR detection capabilities
Tags
Details
- Category
- 🔥 Offensive Ops
- Language
- Go
- Repository
- optiv/ScareCrow
Platforms
Alternatives & Comparisons
More in Offensive Ops
Mythic
GoCollaborative, multi-platform C2 framework. Docker-based with web UI, multiple agent types, and plugin architecture.
Havoc
C/C++Modern C2 framework. Qt-based GUI, BOF support, custom agents, and a Cobalt Strike-inspired workflow.
Rubeus
C#C# toolset for raw Kerberos interaction and abuse. AS-REP roasting, Kerberoasting, ticket manipulation, delegation attacks.
Certipy
PythonActive Directory Certificate Services (AD CS) abuse tool. Find and exploit certificate template misconfigurations.
Coercer
PythonAutomatically find and exploit Windows authentication coercion vulnerabilities. PetitPotam, PrinterBug, and more.
SharpHound
C#Official BloodHound data collector. Enumerates Active Directory objects, sessions, ACLs, and trusts for graph analysis.