(YARA) Detect Parent Process Identification
rule ParentProcessEvasion
{
strings:
// Check for the CreateToolhelp32Snapshot() function call
$create_snapshot = "CreateToolhelp32Snapshot"
// Check for the Process32First() function call
$process32_first = "Process32First"
// Check for the Process32Next() function call
$process32_next = "Process32Next"
// Check for the GetCurrentProcessId() function call
$get_current_pid = "GetCurrentProcessId"
condition:
// Check if all the required strings are present in the code
all of them
}
Associated Techniques
| Technique Name | Technique ID's | Categories | Snippet(s) |
|---|---|---|---|
| Parent Process Detection | U0404 |
|
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| CVE-2026-20817_PoC.exe | 8 | 2026-04-09 | 6 days, 23 hours ago |
| b2a17fbdf536bd79dba9eb5e4ea3...0fdd7eb07ca6c5bdf73de001.exe | 11 | 2026-04-07 | 1 week, 1 day ago |
| agent.exe | 7 | 2026-04-01 | 2 weeks ago |
| hello.exe | 6 | 2026-03-18 | 4 weeks ago |
| passper-for-rar_setup-com_passper.exe | 8 | 2026-02-18 | 1 month, 4 weeks ago |
| x64_Acrobat.exe | 9 | 2026-01-30 | 2 months, 2 weeks ago |
| x64_Acrobat.exe | 9 | 2026-01-30 | 2 months, 2 weeks ago |
| TS_4775.tmp | 7 | 2025-12-23 | 3 months, 3 weeks ago |
| MBSetup (3).exe | 6 | 2025-10-18 | 3 months, 3 weeks ago |
| setup.exe | 11 | 2025-12-09 | 4 months ago |
Created
December 7, 2022
Last Revised
March 26, 2026