View Issue Details

IDProjectCategoryView StatusLast Update
0007432Kali Linux[All Projects] Queued Tool Additionpublic2022-05-04 12:54
Reporterg0tmi1k Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status acknowledgedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0007432: ScareCrow - Payload creation framework designed around EDR bypass.
Description[Name] - ScareCrow
[Version] - 3.01
[Homepage] -
[Download] -
[Author] - Optiv Security
[License] - MIT
[Description] - Payload creation framework designed around EDR bypass.

ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute.
[Dependencies] - GoLang



2021-11-19 17:36

administrator   ~0015436

@kali-team, please could this be packaged up.

Issue History

Date Modified Username Field Change
2021-10-29 13:49 g0tmi1k New Issue
2021-11-19 17:36 g0tmi1k Category New Tool Requests => Queued Tool Addition
2021-11-19 17:36 g0tmi1k Note Added: 0015436
2022-05-04 12:54 g0tmi1k Status new => acknowledged