question

CuriousHunter-6638 avatar image
0 Votes"
CuriousHunter-6638 asked

Detecting ScareCrow and the like...

In reading FireEye's recent blog on "Smoking out a DARKSIDE affiliate's supply chain software compromise" I followed the thread to one of the noted frameworks, ScareCrow. See github - optiv/ScareCrow .

In reviewing process hollowing and herpaderping, it appears that this attack vector (according to their claims) would go undetected. I haven't tested this in the lab, but am curious as to how SYSMON can be used to detect the actions.

Looking forward to the insights the community can bring to the forefront on this.

CuriousHunter

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers