Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add enumerate-blocking-processes.yml #705

Merged
merged 5 commits into from
Oct 12, 2023
Merged

Add enumerate-blocking-processes.yml #705

merged 5 commits into from
Oct 12, 2023

Conversation

Ana06
Copy link
Member

@Ana06 Ana06 commented Feb 20, 2023

The AVOSLOCKER ransomware uses the APIs RmRegisterResources and RmGetList to get a list of processes blocking the file to encrypt and stop them.

@Ana06
Add enumerate-blocking-processes.yml
745439b 
The AVOSLOCKER ransomware uses the APIs `RmRegisterResources` and
`RmGetList` to get a list of processes blocking the file to encrypt and
stop them.
mr-tz
mr-tz reviewed Feb 21, 2023
View reviewed changes
host-interaction/process/enumerate-blocking-processes.yml Outdated
Comment on lines 10 to 11
examples:
- 43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856:0x402C5E
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add this to the testfiles or remove here?

williballenthin
williballenthin reviewed Feb 21, 2023
View reviewed changes
host-interaction/process/enumerate-blocking-processes.yml Outdated
@@ -0,0 +1,17 @@
rule:
meta:
name: enumerate blocking processes
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this name isn't super descriptive to me: its not clear what the process is blocking. would you at least add a description that explains what this is?

williballenthin
williballenthin reviewed Feb 21, 2023
View reviewed changes
host-interaction/process/enumerate-blocking-processes.yml Outdated
Comment on lines 14 to 15
- api: RmRegisterResources
- api: RmGetList
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

recommend adding the DLL name to be explicit, but not required

@mr-tz
Copy link
Collaborator

mr-tz commented Oct 12, 2023

Thanks, @Ana06!

@mr-tz mr-tz merged commit 2626fc6 into mandiant:master Oct 12, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mr-tz mr-tz mr-tz left review comments

@williballenthin williballenthin williballenthin left review comments

Assignees
No one assigned
Labels
rule idea
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ana06 @mr-tz @williballenthin