spawn thread to RWX shellcode

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: spawn thread to RWX shellcode
    namespace: load-code/shellcode
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: span of calls
    mbc:
      - Memory::Allocate Memory [C0007]
      - Process::Create Thread [C0038]
    examples:
      - Practical Malware Analysis Lab 19-02.exe_:0x401230
  features:
    - and:
      - match: allocate or change RWX memory
      - match: create thread

last edited: 2025-01-29 09:27:13