(YARA) YARA_Detect_Possible_GetForegroundWindow_Evasion
import "pe"
rule UNPROTECT_Possible_GetForegroundWindow_Evasion
{
meta:
description = "Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports."
author = "Kyle Cucci"
date = "2020-09-30"
condition:
uint16(0) == 0x5A4D and
pe.imports("user32.dll", "GetForegroundWindow") and
pe.imports("kernel32.dll", "Sleep")
}
Associated Techniques
No associated technique found so far.
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| 000.exe | 7 | 2025-10-06 | 3 weeks, 1 day ago |
| botnpwds.exe | 10 | 2025-09-24 | 1 month ago |
| test.exe | 8 | 2025-09-20 | 1 month, 1 week ago |
| VNC-Viewer-7.15.0-Windows-64bit.exe | 5 | 2025-09-04 | 1 month, 3 weeks ago |
| avbox.exe | 9 | 2025-08-31 | 1 month, 4 weeks ago |
| LINTools.exe | 4 | 2025-08-26 | 2 months ago |
| 0b98de4fbe9e42aa1b79f642c241...ac19b3fc5400705cfba61968.exe | 5 | 2025-08-13 | 2 months, 2 weeks ago |
| TORKpro300.exe | 3 | 2025-07-08 | 3 months, 2 weeks ago |
| mel.exe.exe | 4 | 2025-06-25 | 4 months ago |
| tel.exe | 13 | 2025-06-01 | 4 months, 3 weeks ago |
Created
June 20, 2022
Last Revised
June 20, 2022