Skip to content

Commit

Permalink
update create-process-suspended to include DEBUG_ONLY_THIS_PROCESS (#978
Browse files Browse the repository at this point in the history 
)
  • Loading branch information
@mike-hunhoff
mike-hunhoff authored Jan 7, 2025
1 parent e033410 commit ff9db74
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions host-interaction/process/create/create-process-suspended.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,23 @@ rule:
namespace: host-interaction/process/create
authors:
- william.ballenthin@mandiant.com
- mehunhoff@google.com
scopes:
static: basic block
dynamic: call
mbc:
- Process::Create Process::Create Suspended Process [C0017.003]
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-creation-flags#flags
examples:
- Practical Malware Analysis Lab 03-03.exe_:0x4010EA
features:
- and:
- or:
- number: 0x08000004 = CREATE_NO_WINDOW | CREATE_SUSPENDED
- number: 4 = CREATE_SUSPENDED
- number: 2 = DEBUG_ONLY_THIS_PROCESS
- or:
- api: kernel32.CreateProcess
- api: advapi32.CreateProcessAsUser

0 comments on commit ff9db74

Please sign in to comment.