create process suspended

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: create process suspended
    namespace: host-interaction/process/create
    authors:
      - william.ballenthin@mandiant.com
      - mehunhoff@google.com
    scopes:
      static: basic block
      dynamic: call
    mbc:
      - Process::Create Process::Create Suspended Process [C0017.003]
    references:
      - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/
      - https://learn.microsoft.com/en-us/windows/win32/procthread/process-creation-flags#flags
    examples:
      - Practical Malware Analysis Lab 03-03.exe_:0x4010EA
  features:
    - and:
      - or:
        - number: 0x08000004 = CREATE_NO_WINDOW | CREATE_SUSPENDED
        - number: 4 = CREATE_SUSPENDED
        - number: 2 = DEBUG_ONLY_THIS_PROCESS
      - or:
        - api: kernel32.CreateProcess
        - api: advapi32.CreateProcessAsUser
last edited: 2025-01-07 20:02:37