CoRIIN2026

FR: Les malwares Windows modernes évitent le disque pour s’exécuter directement en mémoire, chiffrant leurs payloads et les masquant via des techniques comme la fluctuation mémoire (chiffrement, modification dynamique des protections mémoire), rendant leur détection difficile pour les antivirus et EDR traditionnels. Cette présentation analyse ces mécanismes — des API hooks aux méthodes d’obfuscation inspirées des frameworks actuels —, évalue les limites des outils de détection (PE-sieve, Moneta) et des logs Windows (EVTX), et met en avant des solutions comme la télémétrie noyau, l’ETW, ou les protections matérielles (Control Flow Guard, Arbitrary Code Guard). Bien que complexe à contrer, cette menace reste observable grâce à une approche multicouche combinant analyse mémoire ciblée, corrélation de télémétrie et durcissement des endpoints, avec des recommandations adaptées aux analystes SOC, chasseurs de menaces et experts DFIR.

EN: Modern Windows malware has largely shifted away from disk-resident execution toward memory-resident implants in response to increasingly effective static detection and reputation-based controls. Payloads are commonly encrypted on disk, loaded dynamically, and executed entirely in memory to reduce exposure to traditional antivirus and EDR scanning. As defenders adapted with behavioral monitoring and memory inspection, attackers introduced more advanced techniques designed to evade not only static analysis, but also runtime inspection itself. One of those techniques is known as memory fluctuation.
Memory fluctuation refers to methods that dynamically modify access protections of memory regions containing malicious payloads. During idle or sleep phases, payloads may be encrypted, overwritten, or placed in non-executable or inaccessible memory states, and only briefly restored immediately before execution. This behavior significantly complicates memory scanning, live response, and post-incident forensic analysis, as malicious code may not be observable at the time of inspection.
This talk examines the technical foundations of memory fluctuation in modern Windows environments and evaluates its impact on defensive visibility. It places these techniques within the broader historical context of the ongoing evolution between endpoint defenses and malware evasion techniques, from API hooking and direct syscall bypasses to contemporary obfuscate-and-sleep mechanisms inspired by widely known frameworks. Particular attention is given to how payload format (shellcode, reflective DLLs, in-memory PE loaders) and Windows memory management primitives shape both evasion strategies and detection opportunities.

Using a controlled lab environment instrumented with Sysmon and an open-source EDR platform, the presentation demonstrates representative implementations of sleep-based encryption and memory protection flipping, including approaches that rely on API hooking and vectored exception handlers. These implementations serve as a basis for evaluating the effectiveness of commonly used defensive tools. Live memory scanners such as PE-sieve and Moneta are assessed for their ability to detect and extract fluctuating payloads, while specialized tools designed to identify sleeping beacons and anomalous execution patterns are examined for reliability and false-positive behavior.

The session further analyzes the limitations of traditional Windows event logs and SIEM-centric investigations, showing that EVTX artifacts alone provide little to no direct visibility into memory fluctuation activity. Instead, the talk highlights kernel-sourced telemetry and ETW-based monitoring as a more robust detection surface. Because memory fluctuation inherently relies on frequent changes to memory protections, repeated calls to memory protection APIs and their kernel equivalents emerge as strong indicators that are difficult for attackers to fully neutralize.

Finally, the presentation discusses practical defensive strategies and hardening measures. These include leveraging Control Flow Guard–based analysis to identify previously executable memory regions, as well as enabling platform protections such as Hardware Stack Protection and Arbitrary Code Guard where it’s operationally feasible. The talk concludes with role-specific guidance for SOC analysts, threat hunters, DFIR practitioners, and endpoint security developers, emphasizing correlated telemetry, targeted memory analysis, and layered detection over reliance on single indicators. While memory fluctuation poses real challenges, it remains inherently observable to a mature defensive stack when its systemic side effects are properly understood and monitored.