read from mailslot

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: read from mailslot
    namespace: communication/mailslot
    authors:
      - nick.simonian@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - Communication::Interprocess Communication [C0003]
    references:
      - https://learn.microsoft.com/en-us/windows/win32/ipc/reading-from-a-mailslot
    examples:
      - CC870A35C6840987DCB8C2DD46BC230A:0x4010F0
  features:
    - and:
      - api: kernel32.GetMailslotInfo
      - or:
        - api: kernel32.ReadFile
        - api: kernel32.ReadFileEx

last edited: 2023-11-24 10:34:28