(YARA) Detect_EnumProcess
rule Detect_EnumProcess: AntiDebug {
meta:
description = "Detect EnumProcessas anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "EnumProcessModulesEx" fullword ascii
$2 = "EnumProcesses" fullword ascii
$3 = "EnumProcessModules" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
Detecting Running Process: EnumProcess API | U0109 U0405 U1306 |
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
1445a6fae415ff8b97807309ed6d...29636ba6a100dbcf3e3e04924790 | 7 | 2024-11-19 | 1 week, 6 days ago |
0f52170adf871c6983d7aaa2162a...7b5850a294feaa71dcaffcf661a2 | 12 | 2024-11-19 | 1 week, 6 days ago |
al-khaser.exe | 24 | 2024-11-13 | 2 weeks, 4 days ago |
Created
June 22, 2022
Last Revised
June 22, 2022