(YARA) YARA_DetectParentProcess

Download Raw

rule ParentProcessEvasion
{
    strings:
        // Check for the CreateToolhelp32Snapshot() function call
        $create_snapshot = "CreateToolhelp32Snapshot"

        // Check for the Process32First() function call
        $process32_first = "Process32First"

        // Check for the Process32Next() function call
        $process32_next = "Process32Next"

        // Check for the GetCurrentProcessId() function call
        $get_current_pid = "GetCurrentProcessId"

    condition:
        // Check if all the required strings are present in the code
        all of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Parent Process Detection U0404

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
Xulytaikhoan.xlsx 14 2024-11-26 3 weeks, 4 days ago
putty-64bit-0.81-installer.msi 2 2024-11-25 3 weeks, 5 days ago
procexp.exe 6 2024-11-21 4 weeks, 1 day ago
cfcb85ddfe25f093feb249d4004d...064da7e9ed119971859c61817f1f 7 2024-11-19 1 month ago
57e0cadabe82b0c02a5d4606b0a3...6672d88e5a1ea4651969392c290b 12 2024-11-19 1 month ago
315194f647f925de53ce6f014d64...9fb23070d253276b626a132557e8 10 2024-11-19 1 month ago
23b1971659b16e186f9e1b36d8bc...e512b346e78f77dc314503aac59a 13 2024-11-19 1 month ago
0f52170adf871c6983d7aaa2162a...7b5850a294feaa71dcaffcf661a2 12 2024-11-19 1 month ago
implant.exe 6 2024-11-18 1 month ago
KnightOnLine.exe 7 2024-11-17 1 month ago
View All

Created

December 7, 2022

Last Revised

December 7, 2022