Article Excerpt
ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls).
property | value |
tags | github-repo,offensive-tradecraft,technique-dll-sideload,tradecraft-tool |
url | |
original_word_count | 2717 |
Long Summary
ScareCrow is a payload creation framework designed to bypass Application Whitelisting controls. It uses two methods to unhook EDRs from system DLLs running in the process's memory: Disk and Indirect Syscalls. ScareCrow copies the .text section of the DLLs stored on disk in C:\Windows\System32, which helps reduce the likelihood of detection. It also utilizes KnownDLLs, which are cached DLLs loaded by Windows during the system startup process. ScareCrow maps a copy of the DLL from \KnownDlls<dllname> and uses NtProtectVirtualMemory to change the permissions of the dll's .text memory section to allow Scarecrow to overwrite the EDR’s hooks before restoring permissions.
ScareCrow also utilizes Garble for obfuscating all loaders and a library for blending into the background after a beacon calls home. This library creates code signing certificates and allows for the inputting of a JSON file containing attributes. ScareCrow also requires golang to be installed on the system.
ScareCrow is a powerful tool that provides users with a wide range of options to execute shellcode on target systems. It utilizes different types of loaders to load shellcode into memory, such as Control Panel, WScript, Excel, and Msiexec. It also contains a technique to first create the process and then move it into the background, which helps keep the process hidden and avoids being detected by any EDR product. ScareCrow also contains the ability to patch AMSI (Antimalware Scan Interface) and ETW functions, preventing any event from being generated by the process. It also provides multiple methods to encrypt shellcode, such as AES, ELZMA, and RC4. Additionally, it has the ability to do process injection attacks, and provides delivery methods such as Bits, HTA, and Macro. It also contains a version check to ensure stability on older versions of Windows OSes. Finally, it also patches ETW and AMSI in injected processes. With ScareCrow, users can generate payloads and loaders to execute shellcode on target systems with ease.
Short Summary
📓 optiv/ScareCrow
👉🏽 ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). 👉🏽 ScareCrow bypasses Application Whitelisting controls.
👉🏽 It uses Disk and Indirect Syscalls to unhook EDRs.
👉🏽 Copies the .text section of DLLs stored on disk in C:\Windows\System32.
👉🏽 Utilizes KnownDLLs cached by Windows during system startup.
👉🏽 Maps a copy of the DLL from \KnownDlls<dllname>.
👉🏽 ScareCrow utilizes Garble for obfuscating all loaders and a library for blending in.
👉🏽 Provides users with a range of options to execute shellcode on target systems.
👉🏽 Utilizes different types of loaders such as Control Panel, WScript, Excel, and Msiexec.
👉🏽 It has the ability to patch AMSI and ETW functions to prevent event generation.
👉🏽 Provides multiple methods to encrypt shellcode and offers process injection attacks and delivery methods such as Bits, HTA, and Macro.
🔗 source link: https://github.com/optiv/ScareCrow
🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/optivscarecrow
#ScareCrow #PayloadCreation #ApplicationWhitelisting #EDRs #Obfuscation #Shellcode #ProcessInjection #Encryption #DeliveryMethods #VersionCheck
