Adversaries may leave Red malware Command and Control (C2) artifacts in memory to maintain persistence or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential Red malware activity that may evade traditional detection methods.
YARA Rule
rule malware_red_leaves_memory {
meta:
author = "David Cannings"
description = "Red Leaves C&C left in memory, use with Volatility / Rekall"
strings:
$ = "__msgid=" wide ascii
$ = "__serial=" wide ascii
$ = "OnlineTime=" wide
// Indicates a file transfer
$ = "clientpath=" wide ascii
$ = "serverpath=" wide ascii
condition:
3 of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
Filter/Exclusion: Check for schtasks.exe in the process tree and exclude processes with ImageFileName containing schtasks.exe or TaskScheduler
Scenario: System update or patching process using wuauclt.exe (Windows Update)
Filter/Exclusion: Exclude processes with ImageFileName containing wuauclt.exe or WindowsUpdate
Scenario: Memory dump analysis using Volatility or Rekall tools by a security team
Filter/Exclusion: Exclude processes with ImageFileName containing volatility or rekall and filter by user context (e.g., UserMode or System)
Scenario: Administrative task using taskmgr.exe or tasklist.exe to monitor processes
Filter/Exclusion: Exclude processes with ImageFileName containing taskmgr.exe, tasklist.exe, or taskkill.exe
Scenario: Network monitoring tool like Wireshark or Microsoft Network Monitor (NMM) capturing traffic
Filter/Exclusion: Exclude processes with ImageFileName containing Wireshark, nmm.exe, or npcap and filter by process name or parent process.