(YARA) YARA_DetectParentProcess

Download Raw

rule ParentProcessEvasion
{
    strings:
        // Check for the CreateToolhelp32Snapshot() function call
        $create_snapshot = "CreateToolhelp32Snapshot"

        // Check for the Process32First() function call
        $process32_first = "Process32First"

        // Check for the Process32Next() function call
        $process32_next = "Process32Next"

        // Check for the GetCurrentProcessId() function call
        $get_current_pid = "GetCurrentProcessId"

    condition:
        // Check if all the required strings are present in the code
        all of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Parent Process Detection U0404

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
5.exe 9 2025-05-30 1 day, 8 hours ago
q.apk.exe 8 2025-05-30 1 day, 8 hours ago
cobalt_sample.exe 13 2025-05-25 1 week ago
hmpalert.exe 8 2025-04-20 1 month ago
firefox.exe 3 2025-04-26 1 month ago
DarkComet.exe 8 2025-04-25 1 month ago
mmmm.exe 7 2025-03-23 2 months, 1 week ago
noui.exe 8 2025-02-20 3 months, 1 week ago
dt_socket.exe_ 7 2025-02-20 3 months, 1 week ago
csgo.dll 10 2025-02-17 3 months, 2 weeks ago
View All

Created

December 7, 2022

Last Revised

December 7, 2022