Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
ScareCrow is a payload creation framework for generating loaders that side-load (not inject) into a legitimate Windows process (bypassing Application Whitelisting controls) as well as binary-based payload loaders.
ScareCrow generates a loader that when executed, utilizes a technique to flush an EDR’s hooks out of the system DLLs running in the process's memory. This works because we know where the EDR’s hooks are placed when a process is spawned. The loader can target these DLLs and manipulate them in memory to change sections of a process’ memory permissions to reload an unmodified version of these system DLLS. Once completed, the loader then loads and decrypts shellcode into memory, utilizing custom System Calls and API functions, without being detected by EDRs.
To add an additional layer of obfuscation, ScareCrow can also sign these loaders with either a fake or legitimate code signing certificate and spoof the attribute values of legitimate Windows DLL and binary files found native on endpoints to help blend in.
In conjunction with this release Optiv's Enterprise Incident Management team (EIM) has released a set of Yara Rules to help detect ScareCrow. This is meant to be a starting point in developing detection rules for this framework. Due to the malleability of this framework, consistent detections may be difficult, as a result this shouldn't be taken as the only way of detecting this framework. This intended as a starting point for detection on disk.
Copyright © 2022 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com