In Memory Signatures

Memory scanners often search for known malware signatures in memory during their scans. Common payloads such as Beacon and Meterpreter for example, can be caught in memory during a memory scan.

A very simple test you can do is to spawn a Cobalt Strike Beacon with sleep_mask set to false and run the following YARA rule on the beacon process:

rule CobaltStrike { 
  strings:  
    $cobaltStrikeRule64 = {  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00 (00|01|02|04|08|10) 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00  02 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00  02 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00  01 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 } 
    //$cobaltStrikeRule32 = {  00 00 00 00 00 00 00 00  01 00 00 00 (00|01|02|04|08|10) 00 00 00 01 00 00 00 ?? ?? 00 00  02 00 00 00 ?? ?? ?? ??  02 00 00 00 ?? ?? ?? ??  01 00 00 00 ?? ?? 00 00 }
  condition: any of them
}

Beacon caught!

As you can see, it is detected in memory.

Use of sleep masking can be used to defeat traditional signature detection in memory. Refer to the following chapters for more about sleep masking:

Sleep masking