enumerate processes that use resource

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: enumerate processes that use resource
    namespace: host-interaction/process
    authors:
      - "@Ana06"
    scopes:
      static: function
      dynamic: thread
    references:
      - https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners
    # examples:
    #  - 43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856:0x402C5E
  features:
    - and:
      - api: rstrtmgr.RmRegisterResources
      - api: rstrtmgr.RmGetList
      - optional:
        - api: RmStartSession

last edited: 2023-11-24 10:34:28