0007432: ScareCrow - Payload creation framework designed around EDR bypass.

ID	Project	Category	View Status	Date Submitted	Last Update

0007432	Kali Linux	Queued Tool Addition	public	2021-10-29 13:49	2022-05-04 12:54

Reporter	g0tmi1k	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	acknowledged	Resolution	open

Summary	0007432: ScareCrow - Payload creation framework designed around EDR bypass.
Description	[Name] - ScareCrow [Version] - 3.01 [Homepage] - https://github.com/optiv/ScareCrow [Download] - https://github.com/optiv/ScareCrow/tags [Author] - Optiv Security [License] - MIT [Description] - Payload creation framework designed around EDR bypass. ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. [Dependencies] - GoLang

Date Modified	Username	Field	Change
2021-10-29 13:49	g0tmi1k	New Issue
2021-11-19 17:36	g0tmi1k	Category	New Tool Requests => Queued Tool Addition
2021-11-19 17:36	g0tmi1k	Note Added: 0015436
2022-05-04 12:54	g0tmi1k	Status	new => acknowledged

g0tmi1k 2021-11-19 17:36 administrator ~0015436	@kali-team, please could this be packaged up.