rule: meta: name: reference analysis tools strings namespace: anti-analysis author: michael.hunhoff@fireeye.com scope: file mbc: - Discovery::Analysis Tool Discovery::Process Detection [B0013.001] references: - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp examples: - al-khaser_x86.exe_ features: - or: - string: /ollydbg.exe/i - string: /ProcessHacker.exe/i - string: /tcpview.exe/i - string: /autoruns.exe/i - string: /autorunsc.exe/i - string: /filemon.exe/i - string: /procmon.exe/i - string: /regmon.exe/i - string: /procexp.exe/i - string: /idaq.exe/i - string: /idaq64.exe/i - string: /ImmunityDebugger.exe/i - string: /Wireshark.exe/i - string: /dumpcap.exe/i - string: /HookExplorer.exe/i - string: /ImportREC.exe/i - string: /PETools.exe/i - string: /LordPE.exe/i - string: /SysInspector.exe/i - string: /proc_analyzer.exe/i - string: /sysAnalyzer.exe/i - string: /sniff_hit.exe/i - string: /windbg.exe/i - string: /joeboxcontrol.exe/i - string: /joeboxserver.exe/i - string: /ResourceHacker.exe/i - string: /x32dbg.exe/i - string: /x64dbg.exe/i - string: /Fiddler.exe/i - string: /httpdebugger.exe/i - string: /fakenet.exe/i - string: /netmon.exe/i - string: /WPE PRO.exe/i - string: /decompile.exe/i