create process suspended

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: create process suspended
    namespace: host-interaction/process/create
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    mbc:
      - Process::Create Process::Create Suspended Process [C0017.003]
    examples:
      - Practical Malware Analysis Lab 03-03.exe_:0x4010EA
  features:
    - and:
      - or:
        - number: 0x08000004 = CREATE_NO_WINDOW | CREATE_SUSPENDED
        - number: 4 = CREATE_SUSPENDED
      - or:
        - api: kernel32.CreateProcess
        - api: advapi32.CreateProcessAsUser

last edited: 2023-11-24 10:35:00