(YARA) YARA_disable_process

Download Raw 

rule UNPROTECT_disable_process {
    meta:
	author = "Thomas Roccia | @fr0gger_"
	description = "Disable blacklisted processes"
    strings:
        $api1 = "CreateToolhelp32Snapshot" nocase
        $api2 = "Process32First" nocase
        $api3 = "Process32Next" nocase
        $api4 = "TerminateProcess" nocase
        $api5 = "NtGetNextProcess" nocase
        $p1 = "taskkill.exe" nocase
        $p2 = "tskill.exe" nocase
    condition:
        uint32(uint32(0x3C)) == 0x4550 and 2 of ($api*) or any of ($p*) 
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Kill Process U0403

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
OutlastDev hackvshack.net.dll 4 2025-03-02 6 days, 19 hours ago
noui.exe 8 2025-02-20 2 weeks, 2 days ago
dt_socket.exe_ 7 2025-02-20 2 weeks, 3 days ago
csgo.dll 10 2025-02-17 2 weeks, 5 days ago
slipknot hackvshack.net.dll 5 2025-02-12 3 weeks, 4 days ago
hmpalert pre-patched.exe 7 2025-02-12 3 weeks, 4 days ago
weave hackvshack.net.dll 6 2025-02-12 3 weeks, 4 days ago
cracked-by-txmuxn.exe 6 2025-02-09 3 weeks, 6 days ago
WNetWatcher.exe 4 2025-02-06 1 month ago
ZClient.exe 12 2025-01-13 1 month, 3 weeks ago
View All
Created

June 20, 2022

Last Revised

June 20, 2022