(YARA) YARA_disable_process

Download Raw 

rule UNPROTECT_disable_process {
    meta:
	author = "Thomas Roccia | @fr0gger_"
	description = "Disable blacklisted processes"
    strings:
        $api1 = "CreateToolhelp32Snapshot" nocase
        $api2 = "Process32First" nocase
        $api3 = "Process32Next" nocase
        $api4 = "TerminateProcess" nocase
        $api5 = "NtGetNextProcess" nocase
        $p1 = "taskkill.exe" nocase
        $p2 = "tskill.exe" nocase
    condition:
        uint32(uint32(0x3C)) == 0x4550 and 2 of ($api*) or any of ($p*) 
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Kill Process U0403

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
ZClient.exe 12 2025-01-13 2 weeks, 3 days ago
kernel32.dll 13 2024-12-30 1 month ago
br1.dll 10 2024-12-03 1 month, 3 weeks ago
satan_ransomware.exe 10 2024-11-30 2 months ago
EDR Silencer 1.4.exe 8 2024-11-29 2 months ago
Xulytaikhoan.xlsx 14 2024-11-26 2 months ago
procexp.exe 6 2024-11-21 2 months, 1 week ago
cfcb85ddfe25f093feb249d4004d...064da7e9ed119971859c61817f1f 7 2024-11-19 2 months, 1 week ago
57e0cadabe82b0c02a5d4606b0a3...6672d88e5a1ea4651969392c290b 12 2024-11-19 2 months, 1 week ago
315194f647f925de53ce6f014d64...9fb23070d253276b626a132557e8 10 2024-11-19 2 months, 1 week ago
View All
Created

June 20, 2022

Last Revised

June 20, 2022