Tylous
commented
2 years ago Hello,
So first of all Scarecrow is very much still current and works against pretty much all userland-based EDRs (and many kernel-based), Windows Defender doesn't rely on userland hooks (it uses stuff in the kernel, AMSI, and other stuff), as a result, once it decrypts the shellcode in memory it's in a raw state. Msfvenom's shellcode is highly IoC'ed and therefore is easy to detect. (I discuss a lot of this in my Defcon talk One of the big points I discuss in this talk is that binaries by default are very dirty and alternative loaders are better. I also talk about how it's important to look at how your shellcode and traffic look to ensure it's unique, making it harder to make a signature for it. I am currently working on an update with some new features that will make binaries easy to use again against Defender and other EDR products that don't use userland hooks.
Morronel
I created stageless meterpreter with msfvenom, then packed it as exe file with scarecrow, and windows defender is catching my exe file. Am I doing something wrong, or is ScareCrow already out of date?
Kind regards, Zahar