(YARA) YARA_Detect_Possible_GetForegroundWindow_Evasion

import "pe"
 
rule UNPROTECT_Possible_GetForegroundWindow_Evasion
{
    meta:
        description = "Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports."
        author = "Kyle Cucci"
        date = "2020-09-30"
 
    condition:
        uint16(0) == 0x5A4D and
        pe.imports("user32.dll", "GetForegroundWindow") and
        pe.imports("kernel32.dll", "Sleep")
}

Associated Techniques

No associated technique found so far.

Matching Samples 10 most recent

Sample Name	Matching Techniques	First Seen	Last Seen
OutlastDev hackvshack.net.dll	4	2025-03-02	6 days, 19 hours ago
hmpalert pre-patched.exe	7	2025-02-12	3 weeks, 4 days ago
weave hackvshack.net.dll	6	2025-02-12	3 weeks, 4 days ago
cracked-by-txmuxn.exe	6	2025-02-09	3 weeks, 6 days ago
penis.dll	1	2025-02-05	1 month ago
FL Keys_x64.dll	4	2025-02-03	1 month ago
0b863912f72efc4e514d3165e6ae...821dfa56a1fd545dba5960f6.exe	3	2025-01-11	1 month, 3 weeks ago
kernel32.dll	13	2024-12-30	2 months, 1 week ago
honeypot.exe	5	2024-12-04	3 months ago
br1.dll	10	2024-12-03	3 months ago

View All

Created

June 20, 2022

Last Revised

June 20, 2022