search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
531 stars 159 forks source link

add coverage for process manipulation via WMI Win32_Process #471

Open mike-hunhoff opened 3 years ago

mike-hunhoff commented 3 years ago

The Win32_Process WMI class represents a process on an operating system.

https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/terminate-method-in-class-win32-process

mike-hunhoff commented 2 years ago

similar to #470.

create process via Win32_Process:

...
- and:
  -  string: "Win32_Process"
  - or:
    - string: "Create"

terminate process via Win32_Process:

...
- and:
  -  string: "Win32_Process"
  - or:
    - string: "Terminate"