(YARA) YARA_Detect_Possible_GetForegroundWindow_Evasion
import "pe"
rule UNPROTECT_Possible_GetForegroundWindow_Evasion
{
meta:
description = "Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports."
author = "Kyle Cucci"
date = "2020-09-30"
condition:
uint16(0) == 0x5A4D and
pe.imports("user32.dll", "GetForegroundWindow") and
pe.imports("kernel32.dll", "Sleep")
}
Associated Techniques
No associated technique found so far.
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| br1.dll | 10 | 2024-12-03 | 4 hours, 49 minutes ago |
| Niple_v6.exe | 2 | 2024-12-01 | 1 day, 21 hours ago |
| Setup.exe | 5 | 2024-11-25 | 1 week, 1 day ago |
| Microsoft Store.exe | 4 | 2024-11-23 | 1 week, 2 days ago |
| 8126a59c84aad134868c842eabc2...204cd859e6322d22ce5a3b937e2a | 5 | 2024-11-19 | 2 weeks ago |
| d66430568a8cc95bf12b9511c61c...3f49cab4825c60c5f4c24d33539f | 6 | 2024-11-19 | 2 weeks ago |
| acd84d1f4b85b6f64b6ea01f9d7c...8b7a3fc1637c1ab9ca08bd6b6322 | 2 | 2024-11-19 | 2 weeks ago |
| 8e9583fb455e3381e29e40af8533...833f37f2d6927cb25dde2f3d4085 | 4 | 2024-11-19 | 2 weeks ago |
| 765edfc0c20fa35b84f7b36bf280...87d29cdf96ac9712ee6e05f59056 | 6 | 2024-11-19 | 2 weeks ago |
| 57e0cadabe82b0c02a5d4606b0a3...6672d88e5a1ea4651969392c290b | 12 | 2024-11-19 | 2 weeks ago |
Created
June 20, 2022
Last Revised
June 20, 2022