The memory_shylock rule detects potential memory-resident malware that avoids writing to disk, which is a common tactic used by adversaries to evade traditional detection methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify stealthy, persistence-focused threats that may otherwise go undetected.
YARA Rule
rule memory_shylock
{
meta:
author = "https://github.com/jackcr/"
strings:
$a = /pipe\\[A-F0-9]{32}/ //Named pipe created by the malware
$b = /id=[A-F0-9]{32}/ //Portion or the uri beacon
$c = /MASTER_[A-F0-9]{32}/ //Mutex created by the malware
$d = "***Load injects by PIPE (%s)" //String found in binary
$e = "***Load injects url=%s (%s)" //String found in binary
$f = "*********************** Ping Ok ************************" //String found in binary
$g = "*** LOG INJECTS *** %s" //String found in binary
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as disk cleanup or log rotation, may trigger memory artifacts that match the memory_shylock YARA rule.
Filter/Exclusion: Exclude processes associated with task scheduler or schtasks.exe with known maintenance scripts (e.g., cleanmgr.exe, logrotate.exe).
Scenario: Antivirus Memory Scan
Description: Antivirus tools like Kaspersky, Bitdefender, or Malwarebytes often perform memory scans that can generate similar memory artifacts to malware.
Filter/Exclusion: Exclude processes with parent or child processes matching known antivirus tools (e.g., kavsvc.exe, mbam.exe, bitdefender.exe).
Scenario: PowerShell Script Execution
Description: A legitimate PowerShell script used for system administration (e.g., Invoke-Command, Get-EventLog) may generate memory patterns that match the rule.
Filter/Exclusion: Exclude processes with powershell.exe and a command line containing known admin tasks (e.g., -Command Get-EventLog, -File C:\scripts\maint.ps1).
Scenario: Database Backup Job
Description: A scheduled database backup job using tools like SQL Server Backup Utility or MySQLDump may generate memory artifacts that resemble malicious behavior.
Filter/Exclusion: Exclude processes with sqlbackup.exe, mysqldump.exe, or backupsql.exe and check for known backup job identifiers in the command line.
Scenario: System File Integrity Check (SFIC)
Description: Tools like Sysinternals Process Explorer or Windows Defender Offline Scan may generate memory artifacts that match the rule.
Filter/Exclusion: Exclude processes