(YARA) YARA_DetectParentProcess
rule ParentProcessEvasion
{
strings:
// Check for the CreateToolhelp32Snapshot() function call
$create_snapshot = "CreateToolhelp32Snapshot"
// Check for the Process32First() function call
$process32_first = "Process32First"
// Check for the Process32Next() function call
$process32_next = "Process32Next"
// Check for the GetCurrentProcessId() function call
$get_current_pid = "GetCurrentProcessId"
condition:
// Check if all the required strings are present in the code
all of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Parent Process Detection | U0404 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| noui.exe | 8 | 2025-02-20 | 1 day, 14 hours ago |
| dt_socket.exe_ | 7 | 2025-02-20 | 1 day, 17 hours ago |
| csgo.dll | 10 | 2025-02-17 | 4 days, 12 hours ago |
| hmpalert pre-patched.exe | 7 | 2025-02-12 | 1 week, 3 days ago |
| cracked-by-txmuxn.exe | 6 | 2025-02-09 | 1 week, 5 days ago |
| WNetWatcher.exe | 4 | 2025-02-06 | 2 weeks, 2 days ago |
| ZClient.exe | 12 | 2025-01-13 | 1 month, 1 week ago |
| Xulytaikhoan.xlsx | 14 | 2024-11-26 | 2 months, 3 weeks ago |
| putty-64bit-0.81-installer.msi | 2 | 2024-11-25 | 2 months, 3 weeks ago |
| procexp.exe | 6 | 2024-11-21 | 3 months ago |
Created
December 7, 2022
Last Revised
December 7, 2022