(YARA) YARA_disable_process
rule UNPROTECT_disable_process {
meta:
author = "Thomas Roccia | @fr0gger_"
description = "Disable blacklisted processes"
strings:
$api1 = "CreateToolhelp32Snapshot" nocase
$api2 = "Process32First" nocase
$api3 = "Process32Next" nocase
$api4 = "TerminateProcess" nocase
$api5 = "NtGetNextProcess" nocase
$p1 = "taskkill.exe" nocase
$p2 = "tskill.exe" nocase
condition:
uint32(uint32(0x3C)) == 0x4550 and 2 of ($api*) or any of ($p*)
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Kill Process | U0403 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| procexp.exe | 6 | 2024-11-21 | 1 day, 13 hours ago |
| cfcb85ddfe25f093feb249d4004d...064da7e9ed119971859c61817f1f | 7 | 2024-11-19 | 3 days, 19 hours ago |
| 57e0cadabe82b0c02a5d4606b0a3...6672d88e5a1ea4651969392c290b | 12 | 2024-11-19 | 3 days, 19 hours ago |
| 315194f647f925de53ce6f014d64...9fb23070d253276b626a132557e8 | 10 | 2024-11-19 | 3 days, 20 hours ago |
| 2a0592dc54fd5450c78dc3184d07...3551f3210d6a334bdd8f28d6e9f1 | 9 | 2024-11-19 | 3 days, 20 hours ago |
| 23b1971659b16e186f9e1b36d8bc...e512b346e78f77dc314503aac59a | 13 | 2024-11-19 | 3 days, 20 hours ago |
| 0f52170adf871c6983d7aaa2162a...7b5850a294feaa71dcaffcf661a2 | 12 | 2024-11-19 | 3 days, 20 hours ago |
| implant.exe | 6 | 2024-11-18 | 5 days, 5 hours ago |
| KnightOnLine.exe | 7 | 2024-11-17 | 5 days, 13 hours ago |
| malw_test.exe | 5 | 2024-11-14 | 1 week, 1 day ago |
Created
June 20, 2022
Last Revised
June 20, 2022