Skip to content
This repository has been archived by the owner on Aug 18, 2023. It is now read-only.

v3.0
Compare
Choose a tag to compare
@Tylous Tylous released this 13 Oct 14:29
· 26 commits to main since this release
v3.0
8bb43e9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

New Features

  • ETW is now enabled by default as some EDR's now rely on ETW to help augment detection.
  • Added a -noetw to not patch ETW. This replaces the -etw function.
  • Added additional ETW calls to thoroughly patch all calls to ETW.
  • Added Sleep time prior to hiding binary loaders in the background. (To avoid detection)
  • Added an option -nosleep to remove the sleep timer if needed.
  • Updated the attribute's values for spoofing.
  • Added a new Binary to spoof.
  • Added obfuscation to the DLLs and API being reloaded. (Shout out to Ryan Dorey for the idea)
  • Removed all IoC's related to the Yara rule
  • Added a version check control to ensure ScareCrow is using go version 1.16.1 or later.

Bug Fixes

  • Fixed bug with donut raw shellcode and binary mode
  • Added a double call to patch for ETW, one before the unhooking and one after the unhooking is done.
  • Fixed issue with using valid code-signing.
  • Added an OPsec consideration when using www.microsoft.com as the -domain option against any Defender-based product.
  • Updated help menu & README.
Assets 6
Loading