Security News > 2022 > December > Want to detect Cobalt Strike on the network? Look to process memory

Want to detect Cobalt Strike on the network? Look to process memory
2022-12-06 15:30

Enterprise security pros can detect malware samples in environments that incorporate the highly evasive Cobalt Strike attack code by analyzing artifacts in process memory, according to researchers with Palo Alto Networks' Unit 42 threat intelligence unit.

"One of the main advantages of Cobalt Strike is that it mainly operates in memory once the initial loader is executed," Unit 42 malware researchers Dominik Reichel, Esmid Idrizovic, and Bob Jung write in a report.

The researchers attest that Cobalt Strike can be detected in the memory.

Palo Alto designed a hypervisor-based sandbox for analyzing artifacts in memory and Unit 42 analyzed samples of three Cobalt Strike loaders detected by the sandbox.

MagnetLoader is a DLL that imitates a legitimate Windows library and decrypts the Cobalt Strike beacon into a memory buffer, using a Windows API function to run the beacon loader rather than calling it directly.

Security pros can also look at memory to find changes to Windows bookkeeping structures, which the operating system uses to track process characteristics libraries that have been loaded.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/12/06/cobalt_strike_memory_unit_42/