(YARA) Detect GetForegroundWindow Usage
import "pe"
rule UNPROTECT_Possible_GetForegroundWindow_Evasion
{
meta:
description = "Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports."
author = "Kyle Cucci"
date = "2020-09-30"
condition:
uint16(0) == 0x5A4D and
pe.imports("user32.dll", "GetForegroundWindow") and
pe.imports("kernel32.dll", "Sleep")
}
Associated Techniques
No associated technique found so far.
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| b2a17fbdf536bd79dba9eb5e4ea3...0fdd7eb07ca6c5bdf73de001.exe | 11 | 2026-04-07 | 1 week, 2 days ago |
| FilterKeysSetter.exe | 5 | 2026-03-28 | 2 weeks, 5 days ago |
| UnPackMe_VMProtect_1.53.exe | 7 | 2026-03-19 | 4 weeks ago |
| x64_Acrobat.exe | 9 | 2026-01-30 | 2 months, 2 weeks ago |
| x64_Acrobat.exe | 9 | 2026-01-30 | 2 months, 2 weeks ago |
| Torture.exe | 9 | 2025-12-16 | 3 months, 4 weeks ago |
| efak.exe | 6 | 2025-12-13 | 4 months ago |
| mxie.exe | 6 | 2025-11-11 | 5 months ago |
| c09065e575639c63ee5e74b4def1...a5454d3a98302478f7840338.exe | 8 | 2025-11-05 | 5 months, 1 week ago |
| 000.exe | 7 | 2025-10-06 | 6 months, 1 week ago |
Created
June 20, 2022
Last Revised
March 27, 2026