Skip to content
This repository has been archived by the owner on Aug 18, 2023. It is now read-only.

Releases: optiv/ScareCrow

v5.1

27 Apr 19:48
@Tylous Tylous
v5.1
210410a
Compare
Choose a tag to compare
v5.1 Latest
Latest

Bug Fixes

  • Fixed issue with the --outpath and the sha256
Assets 6
Loading

v5.0

20 Apr 17:54
@Tylous Tylous
v5.0
a2b9238
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v5.0

New Features

  • Removed the binary mode template
  • Rebuilt the loader and structure files to be more modular
  • Introduced 4 shellcode templates -Exec that can be used for any type (.exe, cpl. dll, js)
  • Added 2 new encryption methods (RC4 and LZMA)
  • Introduced -encryptionmode command line argument to choose either RC4, LZMA, or AES encryption for the Shellcode
  • Added -obfu command line argument to toggle the -literals flag on Garble
  • Removed IoC for Garble for certain well-known Anti-Malware products
  • Added additional unhook technique KnownDlls
  • Added -Evasion command line argument to choose the type of EDR unhooking technique
  • Added Remote ETW patching for process injection mode
  • Added random extentions for Wscript side-loading
  • Added -clone command line argument to clone a certificate from a file
  • Updated it to be compatible with Go versions 1.19.1 and up

Bug Fixes

  • With the new binary templates, issues with Mythic C2 shellcode should be fixed
  • Fixed IoC with base64 encoding on compiled DLLs
  • Removed IoCs related to some Anti-Malware products
  • Updated help menu & README
Assets 7
Loading

v4.11

14 Jun 16:19
@Tylous Tylous
v4.11
a2b9238
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.11

New Features

  • Added -nosign to disable file signing, making -domain/-valid/-password parameters not required. Shoutout to mgeeky for this feature request.
Assets 6
Loading

v4.1

14 Apr 01:48
@Tylous Tylous
v4.1
b19c3bd
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.1

New Features

  • Added -outpath to put the final Payload/Loader in a specific path once it's compiled

Bug Fixes

  • Fixed bug with the binary loaders that caused an occasional crash
  • Fixed duplicate import when -console is called with other options
  • Fixed issue with msiexec loader's with Jscript file extensions
  • Fixed typos in README
Assets 6
Loading

v4.01

01 Apr 15:17
@Tylous Tylous
v4.01
649efc1
Compare
Choose a tag to compare
v4.01

Bug Fixes

  • Fixed issue with process injection and missing decode function
  • Fixed issue with process injection and binary mode with the -console
  • Fixed process injection Kernelbase typo
Assets 6
Loading

v4.0

23 Mar 22:12
@Tylous Tylous
v4.0
64abb2b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.0

New Features

  • Introduced AMSI bypass mechanisms to prevent AMSI events from being generated.
  • Added a -noamsi command option to not patch AMSI.
  • Added graphic icons to all binary loaders that match the binary.
  • Added Garble for compiling all loaders.
  • Added a -sha256 command to list the sha256 hash of the loaders.
  • Removed all IoC's for certain well-known Anti-Malware products.
  • Rewrote the shellcode and decrypt function into a library rather than a function in the main file.
  • Updated binary loader method of allocating and executing shellcode.
  • Updated system DLL method from base64 to byte array.
  • Removed _CGO_Dummy_Export From all DLL-based loaders.
  • Removed CGO for compiling binary loaders.

Bug Fixes

  • Fixed bug with certain attributes not properly showing for binary loaders.
  • Fixed code bug with HTA files with WScript, Control, and MSIexec loaders.
  • Fixed Index error for WScript loaders.
  • Added error messaging for when -O is not defined with WScript and Excel loaders.
  • Fixed issue with the -unmodified command line breaking.
  • Updated help menu & README.

Update 03/23/2022 13:22 EST

  • Fixed issue with Base64 and -noetw and -noamsi
  • Fixed Kernelbase typo.
Assets 6
Loading

v3.01

15 Oct 00:01
@Tylous Tylous
v3.01
2b96e3e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v3.01

Bug Fixes

  • Fixed os import error on binary mode loaders and -sandbox (shoutout to rvrsh3ll for reporting it)
Assets 6
Loading

v3.0

13 Oct 14:29
@Tylous Tylous
v3.0
8bb43e9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v3.0

New Features

  • ETW is now enabled by default as some EDR's now rely on ETW to help augment detection.
  • Added a -noetw to not patch ETW. This replaces the -etw function.
  • Added additional ETW calls to thoroughly patch all calls to ETW.
  • Added Sleep time prior to hiding binary loaders in the background. (To avoid detection)
  • Added an option -nosleep to remove the sleep timer if needed.
  • Updated the attribute's values for spoofing.
  • Added a new Binary to spoof.
  • Added obfuscation to the DLLs and API being reloaded. (Shout out to Ryan Dorey for the idea)
  • Removed all IoC's related to the Yara rule
  • Added a version check control to ensure ScareCrow is using go version 1.16.1 or later.

Bug Fixes

  • Fixed bug with donut raw shellcode and binary mode
  • Added a double call to patch for ETW, one before the unhooking and one after the unhooking is done.
  • Fixed issue with using valid code-signing.
  • Added an OPsec consideration when using www.microsoft.com as the -domain option against any Defender-based product.
  • Updated help menu & README.
Assets 6
Loading

Patch 2.3

27 Jul 15:35
@Tylous Tylous
v2.3
8809d45
Compare
Choose a tag to compare
Patch 2.3

Feature

Implemented a B64 string function for all Loaders and Jscript files that randomizes the maximum number of characters a variable can hold of Base64 encoded shellcode. This function breaks the string up into multiple strings that are then recompiled together. This should help any signatures for suspicious base64 strings.

Assets 2
Loading

Patch 2.2

16 Jul 14:43
@Tylous Tylous
v2.2
2be2a03
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Patch 2.2

Bug Fixes

  • Fixed issue with DLL and CPL loaders not properly breaking up the base64 string. Shoutout to @ralphte1 for reporting this to me.
Assets 2
Loading