View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0007432||Kali Linux||[All Projects] Queued Tool Addition||public||2021-10-29 13:49||2022-05-04 12:54|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Target Version||Fixed in Version|
|Summary||0007432: ScareCrow - Payload creation framework designed around EDR bypass.|
|Description||[Name] - ScareCrow|
[Version] - 3.01
[Homepage] - https://github.com/optiv/ScareCrow
[Download] - https://github.com/optiv/ScareCrow/tags
[Author] - Optiv Security
[License] - MIT
[Description] - Payload creation framework designed around EDR bypass.
ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute.
[Dependencies] - GoLang