A plugin to inspect process memory would be helpful to detect a variety of injections including Cobalt Strike beacons and the like.
Motivation and context
Bad guys like cobalt strike and in-memory implants
Implementation notes
Passing the pid to the python yara bindings and having a set of rules specific to the module would be helpful, with the option to leverage pe-sieve. Maybe a config to limit the processes,
💡 Summary
A plugin to inspect process memory would be helpful to detect a variety of injections including Cobalt Strike beacons and the like.
Motivation and context
Bad guys like cobalt strike and in-memory implants
Implementation notes
Passing the pid to the python yara bindings and having a set of rules specific to the module would be helpful, with the option to leverage pe-sieve. Maybe a config to limit the processes,
Acceptance criteria
functioning plugin