In reading FireEye's recent blog on "Smoking out a DARKSIDE affiliate's supply chain software compromise" I followed the thread to one of the noted frameworks, ScareCrow. See github - optiv/ScareCrow .
In reviewing process hollowing and herpaderping, it appears that this attack vector (according to their claims) would go undetected. I haven't tested this in the lab, but am curious as to how SYSMON can be used to detect the actions.
Looking forward to the insights the community can bring to the forefront on this.
CuriousHunter