(YARA) YARA_DetectParentProcess
rule ParentProcessEvasion
{
strings:
// Check for the CreateToolhelp32Snapshot() function call
$create_snapshot = "CreateToolhelp32Snapshot"
// Check for the Process32First() function call
$process32_first = "Process32First"
// Check for the Process32Next() function call
$process32_next = "Process32Next"
// Check for the GetCurrentProcessId() function call
$get_current_pid = "GetCurrentProcessId"
condition:
// Check if all the required strings are present in the code
all of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Parent Process Detection | U0404 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| Клиент.exe | 9 | 2025-07-01 | 3 weeks ago |
| test.exe | 7 | 2025-06-20 | 1 month ago |
| RuntimeBroker.exe | 11 | 2025-06-05 | 1 month, 2 weeks ago |
| tel.exe | 13 | 2025-06-01 | 1 month, 3 weeks ago |
| 5.exe | 9 | 2025-05-30 | 1 month, 3 weeks ago |
| q.apk.exe | 8 | 2025-05-30 | 1 month, 3 weeks ago |
| cobalt_sample.exe | 13 | 2025-05-25 | 1 month, 4 weeks ago |
| hmpalert.exe | 8 | 2025-04-20 | 2 months, 3 weeks ago |
| firefox.exe | 3 | 2025-04-26 | 2 months, 3 weeks ago |
| DarkComet.exe | 8 | 2025-04-25 | 2 months, 3 weeks ago |
Created
December 7, 2022
Last Revised
December 7, 2022