(YARA) YARA_Detect_createthreadpoolwait

Download Raw 

rule shellcode_injection_via_createthreadpoolwait {
  condition:
    pe.imports("kernel32.dll", "VirtualAlloc") and 
    pe.imports("kernel32.dll", "CreateThreadpoolWait") and 
    pe.imports("kernel32.dll", "SetThreadpoolWait") and 
    pe.imports("kernel32.dll", "WaitForSingleObject")
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Shellcode Injection via CreateThreadpoolWait U1236
Created

December 22, 2022

Last Revised

November 5, 2024