Cobalt Strike ⇌ ScareCrow
(EDR/AV evasion)
EDR unhooking, Syscall loading, ETW/AMSI patch, Process Injection, Signed Loader, AES encrypt
💣 ScareCrow Options
-I string
Path to the raw 64-bit shellcode.
-Loader string
Sets the type of process that will sideload the malicious payload:
[*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)
[*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified. A JScript loader will be generated.
[*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
[*] excel - Loads into a hidden Excel process using a JScript loader.
[*] msiexec - Loads into MSIexec process using a JScript loader.
[*] wscript - Loads into WScript process using a JScript loader.
-O string
Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.
-domain string
The domain name to use for creating a fake code signing cert. (e.g. www.acme.com)
-injection string
Enables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path).
-noamsi
Disables the AMSI patching that prevents AMSI BuffferScanner.
-noetw
Disables the ETW patching that prevents ETW events from being generated.
-nosleep
Disables the sleep delay before the loader unhooks and executes the shellcode.
-sandbox
Enables sandbox evasion using IsDomainedJoined calls.📥 Clone the Project
git clone https://github.com/GeorgePatsias/ScareCrow-CobaltStrike.git🏭 Install ScareCrow
Setup ScareCrow https://github.com/optiv/ScareCrow just by running the install.sh script.
chmod +x install.sh
./install.sh🔧 Setup CNA Script Configurations
Edit the ScareCrow.cna and replace the variables below accordingly. NOTE! Do not add the final / at the end of the paths!
#Path to the ScareCrow-CobaltStrike repository you just cloned.
$script_path = "/home/user/ScareCrow-CobaltStrike";
#Path to the compiled ScareCrow Go executable of the installation.
$scarecrow_executable = "/home/user/ScareCrow-CobaltStrike/ScareCrow/ScareCrow";
💀 Add the CNA script to Cobalt Strike
Cobalt Strike > Script Manager > Load > Select ScareCrow.cna
You will see the new menu item called ScareCrow on the top menu of Cobalt Strike.
Side notes
- Run DLLs as following and slightly change the name of the exported DLL
rundll32 example.dll,DllRegisterServer
rundll32 example.dll,DllGetClassObject - Process Injection field must be defined with a single
\e.gC:\Windows\System32\notepad.exe - When signing the loader with microsoft.com, using them against WINDOWS DEFENDER ATP products may not be as effective as they can validate the cert as it belongs to them. If you are using a loader against a windows product possibly use a different domain.
📖 Screenshot
📖 References
- https://github.com/optiv/ScareCrow
- https://adamsvoboda.net/evading-edr-with-scarecrow/
- https://www.optiv.com/insights/source-zero/blog/endpoint-detection-and-response-how-hackers-have-evolved (Part 1)
- https://www.optiv.com/insights/source-zero/blog/edr-and-blending-how-attackers-avoid-getting-caught (Part 2)
