Detecting ScareCrow and the like...

CuriousHunter 1 Reputation point
2021-06-17T13:56:42.75+00:00

In reading FireEye's recent blog on "Smoking out a DARKSIDE affiliate's supply chain software compromise" I followed the thread to one of the noted frameworks, ScareCrow. See github - optiv/ScareCrow .

In reviewing process hollowing and herpaderping, it appears that this attack vector (according to their claims) would go undetected. I haven't tested this in the lab, but am curious as to how SYSMON can be used to detect the actions.

Looking forward to the insights the community can bring to the forefront on this.

CuriousHunter

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,151 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.