Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to use the ScareCrow framework to achieve EDR bypass, many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

ScareCrow

ScareCrow is a powerful Payload creation framework that can help researchers generate loaders for injecting content into legitimate Windows Golden Book Cinderella to bypass application whitelist control. When the DLL loader is loaded into memory, a technique will be used to clean up the EDR hook from the system DLL that is running in the process memory, because we know that the EDR hook is set when these processes are generated. ScareCrow can manipulate these DLL in memory by using the API function VirtualProtect, which can change part of a process's memory permissions to different values, especially Execute-Read to Read-Write-Execute.

During execution, ScareCrow will copy the byte data of the system DLL stored on C:\ Windows\ System32\ disk. These DLL are stored on the "clean" disk of the EDR hook because they are used by the system to load the unchanged copy into the new process when the new process is generated. Because EDR only sets these process hooks in memory, this part of the data will remain the same. ScareCrow does not copy the entire DLL file, but only focuses on the .text portion of the DLL. This part of DLL contains executable assemblies, which helps reduce the likelihood of detection because rereading the entire file causes EDR to detect changes in system resources. Then use the offset of each function to copy the data to the correct area of memory. Each function has an offset that represents the exact number of bytes of the base address where they are located, providing the position of the function on the stack. To do this, ScareCrow chose to use VirtualProtect to change the permissions of the .text area in memory. Although this is a system DLL, because it has been loaded into our process (under our control), we can change the memory permissions without escalating them.

Once these hooks are removed, ScareCrow uses custom system calls to load and run shellcode in memory. ScareCrow does this even after removing the EDR hook to help avoid detection by telemetry collection tools based on non-user hooks (such as Event Tracing for Windows (ETW)) or other event logging mechanisms. These custom system calls are also used to perform VirtualProtect calls to remove hooks placed by EDR (as described above), thus avoiding detection by any anti-tampering control of EDR. This is done by calling the custom version of the VirtualProtect system call, NtProtectVirtualMemory. ScareCrow can use Golang to generate these loaders and then compile these custom system call functions.

ScareCrow first decrypts the shellcode and loads it into memory, and by default, shellcode encrypts it using the AES encryption and decryption initialization vector key. Once decrypted and loaded, the shellcode will be executed. Depending on the loader options specified, ScareCrow sets different export functions for DLL. The loaded DLL also doesn't contain all the standard DLLmain functions that DLL usually needs to operate, but we don't need to worry about problems with DLL execution.

Code sample

During the creation of the loader, ScareCrow uses a code base that does two things:

Code signs the loader: files signed with code signing certificates are usually subject to less scrutiny, making it easier to execute without questioning, because files signed with trusted names are usually less suspicious than other files. Most anti-malware products do not have time to verify these certificates. ScareCrow creates these certificates by creating a pfx12 file using the Go version of the tool limelighter. This package can use a user-specified input domain name to create a code signing certificate for the domain. If desired, you can also use your own code signing certificate through valid command line options.

Falsifying the properties of the loader: this is done by using the syso file, which is a form of embedded resource file that modifies the properties part of our compiled code when compiled with our loader. Before generating the syso file, ScareCrow generates a random file name (based on the loader type) for use. When this file name is selected, it is mapped to the associated attribute of the file name, ensuring that the correct value is assigned.

Sample file attributes

With these files and go code, ScareCrow will cross-compile them into DLL files using the c-shared library option. Once DLL is compiled, it will be confused as a broken Base64 string, which will be embedded in a file. This will allow us to get, access, or programmatically execute the object file remotely.

Tool installation

In the first step, we need to clone the project source code locally:

Git clone https://github.com/optiv/ScareCrow.git

Before compiling ScareCrow, we also need to install the dependent components of the response:

Go get github.com/fatih/colorgo get github.com/yeka/zipgo get github.com/josephspurrier/goversioninfo

Make sure the following components are installed on your operating system:

Opensslosslsigncodemingw-w64

Next, run the following command to complete the tool build:

Go build ScareCrow.go tool help. / ScareCrow-h _ _ / / _ _ / _ / /\ _ / _ | |\ / _ /\ _ | |\ / / _ _ /\ _ > _ / _ |\ _ >\ _ / | _ _ |\ _ /\ / / (@ Tyl0us) "Fear You must understand is more than a mere obstacle. Fear is a TEACHER. The first one you ever had. " Usage of. / ScareCrow:-I string Path to the raw 64-bit shellcode. Loader string Sets the type of process that will sideload the malicious payload: [*] binary-Generates a binary based payload. This type does not benfit from any sideloading) [*] control-Loads a hidden control applet-the process name would be rundll32. Dll-Generates just a DLL file. Can executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions. Excel-Loads into a hidden Excel process. Wscript-Loads into WScript process. (default "dll")-O string Name of output file (e.g. Loader.js or loader.hta). If Loader is set to dll or binary this option is not required. -console Only for Binary Payloads-Generates verbose console information when the payload is executed. This will disable the hidden window feature. -delivery string Generates an one-liner command to download and execute the payload remotely: [*] bits-Generates a Bitsadmin one liner command to download, execute and remove the loader. Hta-Generates a blank hta file containing the loader along with a MSHTA command to execute the loader remotely in the background. Macro-Generates an Office macro that will download and execute the loader remotely. -domain string The domain name to use for creating a fake code signing cert. (e.g. Acme.com)-password string The password for code signing cert. Required when-valid is used. -sandbox string Enables sandbox evasion using IsDomainedJoined calls. -url string URL associated with the Delivery option to retrieve the payload. (e.g. Https://acme.com/)-valid string The path to a valid code signing cert. Used instead of-domain if a valid code signing cert is desired. After reading the above, do you have any further understanding of how to use the ScareCrow framework to implement EDR bypass? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.