-
Notifications
You must be signed in to change notification settings - Fork 164
/
create-thread.yml
44 lines (44 loc) · 1.23 KB
/
create-thread.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
rule:
meta:
name: create thread
namespace: host-interaction/thread/create
authors:
scopes:
static: basic block
dynamic: thread
mbc:
- Process::Create Thread [C0038]
examples:
- 946A99F36A46D335DEC080D9A4371940:0x10001DA0
- B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x408020
features:
- or:
- and:
- os: windows
- or:
- api: kernel32.CreateThread
- api: _beginthread
- api: _beginthreadex
- api: PsCreateSystemThread
- api: SHCreateThread
- api: SHCreateThreadWithHandle
- api: kernel32.CreateRemoteThread
- api: kernel32.CreateRemoteThreadEx
- api: RtlCreateUserThread
- api: ntdll.NtCreateThread
- api: ntdll.NtCreateThreadEx
- api: ntdll.ZwCreateThread
- api: ntdll.ZwCreateThreadEx
- and:
- or:
- os: linux
- os: android
- api: pthread_create
- and:
- api: System.Threading.Thread::Start
- optional:
- api: System.Threading.Thread::ctor