(YARA) YARA_DetectParentProcess
rule ParentProcessEvasion
{
strings:
// Check for the CreateToolhelp32Snapshot() function call
$create_snapshot = "CreateToolhelp32Snapshot"
// Check for the Process32First() function call
$process32_first = "Process32First"
// Check for the Process32Next() function call
$process32_next = "Process32Next"
// Check for the GetCurrentProcessId() function call
$get_current_pid = "GetCurrentProcessId"
condition:
// Check if all the required strings are present in the code
all of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Parent Process Detection | U0404 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| cfcb85ddfe25f093feb249d4004d...064da7e9ed119971859c61817f1f | 7 | 2024-11-19 | 1 day, 23 hours ago |
| 57e0cadabe82b0c02a5d4606b0a3...6672d88e5a1ea4651969392c290b | 12 | 2024-11-19 | 2 days ago |
| 315194f647f925de53ce6f014d64...9fb23070d253276b626a132557e8 | 10 | 2024-11-19 | 2 days ago |
| 23b1971659b16e186f9e1b36d8bc...e512b346e78f77dc314503aac59a | 13 | 2024-11-19 | 2 days ago |
| 0f52170adf871c6983d7aaa2162a...7b5850a294feaa71dcaffcf661a2 | 12 | 2024-11-19 | 2 days ago |
| implant.exe | 6 | 2024-11-18 | 3 days, 9 hours ago |
| KnightOnLine.exe | 7 | 2024-11-17 | 3 days, 17 hours ago |
| malw_test.exe | 5 | 2024-11-14 | 6 days, 22 hours ago |
| dudu.exe | 6 | 2024-11-14 | 1 week ago |
| al-khaser.exe | 24 | 2024-11-13 | 1 week ago |
Created
December 7, 2022
Last Revised
December 7, 2022