(YARA) YARA_disable_process

Download Raw 

rule UNPROTECT_disable_process {
    meta:
	author = "Thomas Roccia | @fr0gger_"
	description = "Disable blacklisted processes"
    strings:
        $api1 = "CreateToolhelp32Snapshot" nocase
        $api2 = "Process32First" nocase
        $api3 = "Process32Next" nocase
        $api4 = "TerminateProcess" nocase
        $api5 = "NtGetNextProcess" nocase
        $p1 = "taskkill.exe" nocase
        $p2 = "tskill.exe" nocase
    condition:
        uint32(uint32(0x3C)) == 0x4550 and 2 of ($api*) or any of ($p*) 
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Kill Process U0403

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
TS_4775.tmp 7 2025-12-23 6 days, 17 hours ago
reqloghad.dll 7 2025-12-22 1 week ago
MBSetup (3).exe 6 2025-10-18 1 week, 3 days ago
setup.exe 11 2025-12-09 2 weeks, 6 days ago
pafish64.exe 10 2025-12-06 3 weeks, 1 day ago
Launcher_dump.exe 7 2025-11-30 4 weeks, 1 day ago
frostygoop.exe 7 2025-10-24 2 months ago
ri_setup_full4134_UjiwJcEu.exe 7 2025-10-02 2 months, 3 weeks ago
hid-tools.dll 13 2025-09-22 3 months, 1 week ago
Yandex.exe 8 2025-09-20 3 months, 1 week ago
View All
Created

June 20, 2022

Last Revised

June 20, 2022