rule:
meta:
name: execute shellcode via CreateThreadpoolWait
namespace: load-code/shellcode
authors:
- jakub.jozwiak@mandiant.com
scopes:
static: function
dynamic: thread
references:
- https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CreateThreadPoolWait/CreateThreadPoolWait.cpp
examples:
- a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf:0x10001010
features:
- and:
- match: allocate or change RWX memory
- api: CreateEvent
- api: CreateThreadpoolWait
- api: SetThreadpoolWait
- or:
- api: WaitForSingleObject
- api: WaitForThreadpoolWaitCallbacks
last edited: 2023-11-24 10:34:28