My team had an encounter in a recent #DFIR situation where we saw a #CobaltStrike feature in use by the perpetrators we hadn't seen before: "sleep mask", which obfuscates memory content while the beacon is inactive, making #Yara signatures come up empty. Blog post here:
https://cyber.wtf/2023/10/13/config-extraction-from-in-memory-cobaltstrike-beacons/