GitHub – optiv/ScareCrow: ScareCrow – Payload creation framework designed around EDR bypass.


ScareCrow

ScareCrow

More Information

If you want to learn more about the techniques utilized in this framework please take a expression at Part 1 and Part 2

Description

ScareCrow is a cargo creation model for side load ( not injecting ) into a lawful Windows procedure ( bypassing Application Whitelisting controls ). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR ’ s hook out of the system DLLs hunt in the march ‘s memory. This works because we know the EDR ’ south hooks are placed when a procedure is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API routine VirtualProtect, which changes a section of a process ’ memory permissions to a different prize, specifically from Execute–Read to Read-Write-Execute .
When executed, ScareCrow will copy the bytes of the organization DLLs stored on phonograph record in C:\Windows\System32\. These DLLs are stored on magnetic disk “ clean ” of EDR hooks because they are used by the system to load an unaltered copy into a newly process when it ’ second spawned. Since EDR ’ s lone hook these processes in memory, they remain unaltered. scarecrow does not copy the entire DLL file, alternatively only focuses on the .text section of the DLLs. This department of a DLL contains the feasible assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a change to a system resource. The datum is then copied into the right region of memory by using each function ’ mho offset. Each function has an offset which denotes the demand phone number of bytes from the free-base address where they reside, providing the affair ’ south location on the stack .
To do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. even though this is a system DLL, since it has been loaded into our process ( that we control ), we can change the memory permissions without requiring elevated privileges.

once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. scarecrow does this flush after the EDR hooks are removed to help avoid detection by non-userland, hook-based telemetry gather tools such as Event Tracing for Windows ( ETW ) or early event logging mechanisms. These custom system calls are besides used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid signal detection by any EDR ’ s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom-made syscall functions .
ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encoding with a decoding and low-level formatting vector key. once decode and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The load DLL besides does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without any offspring because the summons we load into will look for those export functions and not worry about DLLMain being there .

Binary Sample

PreRefreshed Dlls After Refreshed Dlls During the creation action of the loader, ScareCrow utilizes a library for blending into the setting after a radio beacon calls home. This library does two things :

  • Code signs the Loader:
    Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist). ScareCrow creates these certificates by using a go package version of the tool limelighter to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option.

OpSec Consideration:

  When signing the loader with microsoft.com, using them against WINDOWS DEFENDER ATP products may not be as effective as they can validate the cert as it belongs to them. If you are using a loader against a windows product possibly use a different domain.
  • Spoof the attributes of the loader:
    This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen, this file name will map to the associated attributes for that file name, ensuring that the right values are assigned.

File Attribute Sample

File Attributes With these files and the go code, ScareCrow will cross compile them into DLLs using the c-shared library option. Once the DLL is compiled, it is obfuscated into a break base64 bowed stringed instrument that will be embedded into a file. This allows for the file to be remotely pulled, accessed, and programmatically executed .

Requirements

scarecrow now requires golang 1.16.1 or subsequently to compile loaders. If you are running an older adaptation please to adaptation 1.16.1 or late .
See for fresh versions : hypertext transfer protocol : //golang.org/dl/ .

Install

The first footfall as always is to clone the repo. Before you compile ScareCrow, you ‘ll need to install the dependencies .
To install them, run following commands :

go get github.com/fatih/color
go get github.com/yeka/zip
go get github.com/josephspurrier/goversioninfo

Make certain that the following are installed on your o :

openssl
osslsigncode
mingw-w64

then build it

go build ScareCrow.go

In addition ScareCrow utilizes Garble for obfuscating all loaders .
note : several of the dependencies do not play well on Windows when roll up, because of this it is recommended to compile your loaders on OSX or Linux .

Help


./ScareCrow -h

  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
        \/     \/     \/            \/        \/                      
                                                        (@Tyl0us)
        “Fear, you must understand is more than a mere obstacle. 
        Fear is a TEACHER. the first one you ever had.”

Usage of ./ScareCrow:
  -I string
        Path to the raw 64-bit shellcode.
  -Loader string
        Sets the type of process that will sideload the malicious payload:
        [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)
        [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated.
        [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
        [*] excel - Loads into a hidden Excel process using a JScript loader.
        [*] msiexec - Loads into MSIexec process using a JScript loader.
        [*] wscript - Loads into WScript process using a JScript loader. (default "binary")
  -O string
        Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.
  -configfile string
        The path to a json based configuration file to generate custom file attributes. This will not use the default ones.
  -console
        Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
  -delivery string
        Generates a one-liner command to download and execute the payload remotely:
        [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel, and Wscript Loaders).
        [*] hta - Generates a blank hta file containing the loader along with an MSHTA command to execute the loader remotely in the background (Compatible with Control and Excel Loaders). 
        [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel, and Wscript Loaders).
  -domain string
        The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) 
  -injection string
        Enables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path).
  -noamsi
        Disables the AMSI patching that prevents AMSI BuffferScanner.
  -noetw
        Disables the ETW patching that prevents ETW events from being generated.
  -nosign
        Disables file signing, making -domain/-valid/-password parameters not required.
  -nosleep
        Disables the sleep delay before the loader unhooks and executes the shellcode.
  -outpath string
        The path to put the final Payload/Loader once it's compiled.
  -password string
        The password for code signing cert. Required when -valid is used.
  -sandbox
        Enables sandbox evasion using IsDomainJoined calls.
  -sha256
        Provides the SHA256 value of the loaders (This is useful for tracking)
  -unmodified
        When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default)
  -url string
        URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)
  -valid string
        The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.

Loader

The Loader determines the type of technique to load the shellcode into the target system. If no Loader option is chosen, ScareCrow will merely compile a standard DLL file, that can be used by rundll32, regsvr32, or other techniques that utilize a DLL. ScareCrow utilize three different types of loaders to load shellcode into memory :

  • Control Panel – This generates a control panel applet (i.e. Program and Features, or AutoPlay). By compiling the loader to have specific DLL export functions in combination with a file extension .cpl, it will spawn a control panel process (rundll32.exe) and the loader will be loaded into memory.
  • WScript – Spawns a WScript process that utilizes a manifest file and registration-free Com techniques to load (not injected) DLL loader into its own process, side-by-side. This avoids registering the DLL in memory as the manifest file tells the process which, where, and what version of a DLL to load.
  • Excel – Generates an XLL file which are Excel-based DLL files that when loaded into Excel will execute the loader. A hidden Excel process will be spawned, forcing the XLL file to be loaded.
  • Msiexec – Spawns a hidden MSIExec process that will load the DLL into memory and execute the shellcode.

scarecrow can besides generate binary star based payloads if needed by using the -Loader command line option. These binaries do not benefit from any side-by-side load techniques but serve as an extra technique to execute shellcode depending on the position .

Console

ScareCrow utilizes a technique to first create the process and then move it into the background. This does two things, first base it helps keep the process obscure and second, avoids being detected by any EDR product. Spawning a summons right away in the backdrop can be very suspicion and an index of malice. scarecrow does this by calling the ‘ GetConsoleWindow ’ and ‘ ShowWindow ’ Windows routine after the process is created and the EDR ’ randomness hooks are loaded, and then changes the windows attributes to hidden. ScareCrow use these APIs rather than using the traditional -ldflags -H=windowsgui as this is highly signatured and classified in most security products as an Indicator of Compromise .
If the -console command-line choice is selected, ScareCrow will not hide the process in the background. rather, ScareCrow will add several debug messages displaying what the stevedore is doing .

Process Injection

scarecrow contains the ability to do march injection attacks. To avoid any crochet or signal detection in either the stevedore process or the inject action itself, ScareCrow beginning unhooks the loader march as it would normally, to ensure there are no hook in the serve. once completed, the stevedore will then spawn the summons specified in the creation command. once spawned, the loader will then create a wield to the process to retrieve a number of load DLLs. Once it finds DLLs, it will enumerate the establish address of each DLL in the distant process. Using the function WriteProcessMemory the stevedore will then write the bytes of the system DLLs stored on phonograph record ( since they are “ clean ” of EDR hooks ) without the need to change the memory permissions first. ScareCrow uses WriteProcessMemory because this function contains a feature primarily used in debugging where even if a section of memory is read-only, if everything is correct in the call to Write­Process­Memory, it will temporarily change the license to read-write, update the memory department and then restore the original permissions. once this is done, the stevedore can inject shellcode into the engender process with no issue, as there are no EDR hooks in either summons .
This choice can be used with any of the loader options. To enable process injection, use the -injection command-line choice along with the wide way to the process you want to use to inject into. When putting the path in as an controversy, it is important to either surround the wax path with "" or consumption double \ for each directory in the way .

AMSI & ETW Bypass

scarecrow contains the ability to patch AMSI ( Antimalware Scan Interface ) and ETW functions, preventing any event from being generated by the procedure .
AMSI is a Windows native API that allows Windows Defender ( or other antimalware products ) to interface deep in the Windows engage arrangement and provide enhanced auspices, specifically around in-memory-based attacks. AMSI allows security products to better detect malicious indicators and help stop threats. Since AMSI is native to Windows products do n’t need to “ hook ” AMSI quite they load the necessary DLL to in order to gain enhance penetration into the process. Because of this ScareCrow loads the AMSI.dll dll and then patches, to ensure that any results from the scanning interface come back clean and jerk. Patching AMSI is default in all loaders, if you wish to not patch AMSI use the -noamsi command-line choice to disable it in your loader .
ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is besides a native sport built into Windows, security system products do not need to “ hook ” the ETW syscalls to gain the data. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the adjacent direction. Patching ETW is now default in all loaders, if you wish to not patch ETW use the -noetw command-line choice to disable it in your loader .
presently, these options only work for the parent process, if the -injection command-line option is used the primary process will patch AMSI and ETW but the inject action

Delivery

The rescue instruction cable argument allows you to generate a command or string of code ( in the macro lawsuit ) to remotely pull the file from a outside source to the victim ’ s host. These delivery methods include :

  • Bits – This will generate a bitsadmin command that while download the loader remotely, execute it and remove it. This delivery command is compatible with Binary, Control, Excel and Wscript loaders.
  • HTA – This will generate a blank HTA file containing the loader. This option will also provide a command line that will execute the HTA remotely. This delivery command is compatible with Control and Excel loaders.
  • Macro – This will generate an Office macro that can be put into an Excel or Word macro document. When this macro is executed, the loader will be downloaded from a remote source and executed, and then removed. This delivery command is compatible with Control, Excel and Wscript loaders.

Custom Attribute Files

While ScareCrow has an extensive number of charge attributes, there are some circumstances where a custom ( possibly environment-specific ) hardening of attributes is required. To accommodate this, ScareCrow allows for the inputting of a JSON file containing attributes. Using the -configfile command-line option, ScareCrow will use these attributes and filename alternatively of the preexistent ones in ScareCrow. The file main.json contains a sample template of what the JSON structure needs to be to properly work. Note whatever you use as the “ InternalName ” will be the file name .

Hash

Since ScareCrow creates unique loaders that can besides be embedded in scripts or other files for manner of speaking, ScareCrow has the ability to provide you the hashes of all artifacts, using the -sha256 .

To Do

  • Currently only supports x64 payloads
  • Some older versions of Window’s OSes (i.e. Windows 7 or Windows 8.1), have issues reloading the systems DLLs, as a result a version check is built in to ensure stability
  • Patch ETW and AMSI in Injected processes

Credit

  • Special thanks to josephspurrier for his repo
  • Special thanks to mvdan for developing Garble

About admin

I am the owner of the website thefartiste.com, my purpose is to bring all the most useful information to users.

Check Also

articlewriting1

Kanye West Posts Marvel’s Civil War Meme Targeting Pete Davidson

Kanye West is letting it be known that his beef with actor Pete Davidson has …

Leave a Reply

Your email address will not be published.