(YARA) YARA_disable_process
rule UNPROTECT_disable_process {
meta:
author = "Thomas Roccia | @fr0gger_"
description = "Disable blacklisted processes"
strings:
$api1 = "CreateToolhelp32Snapshot" nocase
$api2 = "Process32First" nocase
$api3 = "Process32Next" nocase
$api4 = "TerminateProcess" nocase
$api5 = "NtGetNextProcess" nocase
$p1 = "taskkill.exe" nocase
$p2 = "tskill.exe" nocase
condition:
uint32(uint32(0x3C)) == 0x4550 and 2 of ($api*) or any of ($p*)
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Kill Process | U0403 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| hmpalert.exe | 8 | 2025-04-20 | 1 week, 4 days ago |
| firefox.exe | 3 | 2025-04-26 | 2 weeks ago |
| DarkComet.exe | 8 | 2025-04-25 | 2 weeks, 1 day ago |
| NLiveConnectorSetup.exe | 4 | 2025-04-05 | 1 month ago |
| mmmm.exe | 7 | 2025-03-23 | 1 month, 2 weeks ago |
| FBH.dll | 10 | 2025-03-22 | 1 month, 2 weeks ago |
| OutlastDev hackvshack.net.dll | 4 | 2025-03-02 | 2 months, 1 week ago |
| noui.exe | 8 | 2025-02-20 | 2 months, 2 weeks ago |
| dt_socket.exe_ | 7 | 2025-02-20 | 2 months, 2 weeks ago |
| csgo.dll | 10 | 2025-02-17 | 2 months, 3 weeks ago |
Created
June 20, 2022
Last Revised
June 20, 2022