ENNAENNA

ScareCrow

Featured

๐Ÿ”ฅ Offensive Ops ยท Go

ScareCrow is a payload creation framework designed to generate loaders that bypass Endpoint Detection and Response (EDR) products. It uses direct Windows system calls instead of standard WinAPI calls, avoiding the userland hooks that EDR products use for detection. ScareCrow supports multiple loader types (DLL sideloading, binary, JScript, HTA), code signing with spoofed certificates, and integration with shellcode generators like Donut. It represents the current state of the art in EDR evasion.

2.9kstars
530forks
7issues
Updated 2y ago
+I use this
View on GitHub

Use Cases

  • Generating EDR-evading payload loaders
  • Direct syscall execution to bypass hooks
  • Code signing with spoofed certificates
  • DLL sideloading payload delivery
  • Testing EDR detection capabilities

Tags

edr-bypasssyscallsloaderevasioncode-signing

Details

Category
๐Ÿ”ฅ Offensive Ops
Language
Go
Repository
optiv/ScareCrow
Platforms
๐Ÿงlinux๐ŸชŸwindows

Links

GitHub Repository

github.com/optiv/ScareCrow

Releases

github.com/optiv/ScareCrow/releases

Issues

github.com/optiv/ScareCrow/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Community Reviews

Alternatives & Comparisons

Donut

C

Generates position-independent shellcode from .NET assemblies, PE files, and DLLs. Load anything in memory.

Compare ScareCrow vs Donut

Amber

Go

Reflective PE packer converting native PE files to position-independent shellcode.

Compare ScareCrow vs Amber

DllShimmer

Go

Weaponizes DLL hijacking by generating proxy DLLs with matching export address tables and C++ backdoor boilerplate.

Compare ScareCrow vs DllShimmer

More in Offensive Ops

Mythic

Go

Collaborative, multi-platform C2 framework. Docker-based with web UI, multiple agent types, and plugin architecture.

c2red-teammulti-operator

Havoc

C/C++

Modern C2 framework. Qt-based GUI, BOF support, custom agents, and a Cobalt Strike-inspired workflow.

c2red-teamgui

Rubeus

C#

C# toolset for raw Kerberos interaction and abuse. AS-REP roasting, Kerberoasting, ticket manipulation, delegation attacks.

kerberosactive-directoryroasting

Certipy

Python

Active Directory Certificate Services (AD CS) abuse tool. Find and exploit certificate template misconfigurations.

active-directorycertificatesadcs

Coercer

Python

Automatically find and exploit Windows authentication coercion vulnerabilities. PetitPotam, PrinterBug, and more.

authentication-coercionntlm-relaypetitpotam

SharpHound

C#

Official BloodHound data collector. Enumerates Active Directory objects, sessions, ACLs, and trusts for graph analysis.

active-directoryenumerationbloodhound