(YARA) YARA_disable_process

Download Raw 

rule UNPROTECT_disable_process {
    meta:
	author = "Thomas Roccia | @fr0gger_"
	description = "Disable blacklisted processes"
    strings:
        $api1 = "CreateToolhelp32Snapshot" nocase
        $api2 = "Process32First" nocase
        $api3 = "Process32Next" nocase
        $api4 = "TerminateProcess" nocase
        $api5 = "NtGetNextProcess" nocase
        $p1 = "taskkill.exe" nocase
        $p2 = "tskill.exe" nocase
    condition:
        uint32(uint32(0x3C)) == 0x4550 and 2 of ($api*) or any of ($p*) 
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Kill Process U0403

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
hmpalert.exe 8 2025-04-20 7 hours, 6 minutes ago
NLiveConnectorSetup.exe 4 2025-04-05 2 weeks, 1 day ago
mmmm.exe 7 2025-03-23 3 weeks, 6 days ago
FBH.dll 10 2025-03-22 4 weeks ago
OutlastDev hackvshack.net.dll 4 2025-03-02 1 month, 2 weeks ago
noui.exe 8 2025-02-20 1 month, 4 weeks ago
dt_socket.exe_ 7 2025-02-20 1 month, 4 weeks ago
csgo.dll 10 2025-02-17 2 months ago
slipknot hackvshack.net.dll 5 2025-02-12 2 months, 1 week ago
hmpalert pre-patched.exe 7 2025-02-12 2 months, 1 week ago
View All
Created

June 20, 2022

Last Revised

June 20, 2022