The memory pivy rule detects potential adversary behavior involving memory-resident pivoting techniques that may indicate lateral movement or persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that evade traditional endpoint detection.
YARA Rule
rule memory_pivy
{
meta:
author = "https://github.com/jackcr/"
strings:
$a = {00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00} // presence of pivy in memory
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance using task scheduler to clean temporary files
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "cleanmgr"
Scenario: Memory dump analysis using ProcDump by Microsoft
Filter/Exclusion: process.image_name == "procdump.exe" or process.command_line contains "procdump"
Scenario: Admin task to analyze memory usage with Process Explorer
Filter/Exclusion: process.image_name == "procexp.exe" or process.user == "Administrator"
Scenario: Automated log parsing tool like LogParser running memory diagnostics
Filter/Exclusion: process.image_name == "logparser.exe" or process.command_line contains "logparser"
Scenario: System update process using Windows Update services
Filter/Exclusion: process.parent_process_name == "svchost.exe" and process.parent_process_image_name == "svchost.exe" and process.command_line contains "wuauserv"