ScareCrow Payload Creation Framework


ScareCrow is a payload creation framework for generating loaders that side-load (not inject) into a legitimate Windows process (bypassing Application Whitelisting controls) as well as binary-based payload loaders.


ScareCrow generates a loader that when executed, utilizes a technique to flush an EDR’s hooks out of the system DLLs running in the process's memory. This works because we know where the EDR’s hooks are placed when a process is spawned. The loader can target these DLLs and manipulate them in memory to change sections of a process’ memory permissions to reload an unmodified version of these system DLLS. Once completed, the loader then loads and decrypts shellcode into memory, utilizing custom System Calls and API functions, without being detected by EDRs.


To add an additional layer of obfuscation, ScareCrow can also sign these loaders with either a fake or legitimate code signing certificate and spoof the attribute values of legitimate Windows DLL and binary files found native on endpoints to help blend in.



Source code:



In conjunction with this release Optiv's Enterprise Incident Management team (EIM) has released a set of Yara Rules to help detect ScareCrow. This is meant to be a starting point in developing detection rules for this framework. Due to the malleability of this framework, consistent detections may be difficult, as a result this shouldn't be taken as the only way of detecting this framework. This intended as a starting point for detection on disk.



Source Code:

Matthew Eidelberg
Engineering Fellow | Optiv
Matthew Eidelberg is an Engineering Fellow in Optiv’s Threat Management Team (Attack and Penetration specialization). His primary role focuses on leading Threat Management’s Adversary Simulation Services, which address physical, red/purple team, and other advanced assessments. Matthew’s expertise also involves research development, focusing on developing new techniques and tooling for endpoint security bypass and evasion.