ScareCrow Payload Creation Framework
ScareCrow is a payload creation framework for generating loaders that side-load (not inject) into a legitimate Windows process (bypassing Application Whitelisting controls) as well as binary-based payload loaders.
ScareCrow generates a loader that when executed, utilizes a technique to flush an EDR’s hooks out of the system DLLs running in the process's memory. This works because we know where the EDR’s hooks are placed when a process is spawned. The loader can target these DLLs and manipulate them in memory to change sections of a process’ memory permissions to reload an unmodified version of these system DLLS. Once completed, the loader then loads and decrypts shellcode into memory, utilizing custom System Calls and API functions, without being detected by EDRs.
To add an additional layer of obfuscation, ScareCrow can also sign these loaders with either a fake or legitimate code signing certificate and spoof the attribute values of legitimate Windows DLL and binary files found native on endpoints to help blend in.
In conjunction with this release Optiv's Enterprise Incident Management team (EIM) has released a set of Yara Rules to help detect ScareCrow. This is meant to be a starting point in developing detection rules for this framework. Due to the malleability of this framework, consistent detections may be difficult, as a result this shouldn't be taken as the only way of detecting this framework. This intended as a starting point for detection on disk.
Copyright © 2021 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com