https://adamsvoboda.net/evading-edr-with-scarecrow/
-I string
Path to the raw 64-bit shellcode.
-Loader string
Sets the type of process that will sideload the malicious payload:
[*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)
[*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified. A JScript loader will be generated.
[*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
[*] excel - Loads into a hidden Excel process using a JScript loader.
[*] msiexec - Loads into MSIexec process using a JScript loader.
[*] wscript - Loads into WScript process using a JScript loader.
-noetw
Enables ETW patching to prevent ETW events from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction.
-sandbox
Enables sandbox evasion using IsDomainedJoined calls.
-injection string
Enables Process Injection Mode and specifies the path to the process to create/inject into (use \ for the path).git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.gitSetup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.
chmod +x install.sh
./install.shEdit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!
#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";
#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";
#Path to the CobaltStrike directory.
$cs_directory = "/home/user/cobaltstrike";
#Path to the python3 binary.
$python3 = "/usr/bin/python3";
Cobalt Strike > Script Manager > Load > Select ScareCrow.cna
You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.
https://github.com/optiv/ScareCrow
- Run DLLs as following and slightly change the name of the exported DLL
rundll32 example.dll,DllRegisterServer
rundll32 example.dll,DllGetClassObject - Process Injection field must be defined with a single
\e.gC:\Windows\System32\notepad.exe
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent