Process Memory Plugin

[kfaber]

💡 Summary

A plugin to inspect process memory would be helpful to detect a variety of injections including Cobalt Strike beacons and the like.

Motivation and context

Bad guys like cobalt strike and in-memory implants

Implementation notes

Passing the pid to the python yara bindings and having a set of rules specific to the module would be helpful, with the option to leverage pe-sieve. Maybe a config to limit the processes,

Acceptance criteria

functioning plugin