(YARA) Detect CreateThreadpoolWait Usage
rule shellcode_injection_via_createthreadpoolwait {
condition:
pe.imports("kernel32.dll", "VirtualAlloc") and
pe.imports("kernel32.dll", "CreateThreadpoolWait") and
pe.imports("kernel32.dll", "SetThreadpoolWait") and
pe.imports("kernel32.dll", "WaitForSingleObject")
}
Associated Techniques
| Technique Name | Technique ID's | Categories | Snippet(s) |
|---|---|---|---|
| Shellcode Injection via CreateThreadpoolWait | U1236 |
|
Created
December 22, 2022
Last Revised
March 27, 2026