Thimble Kill Script File Zip [top] Guide

rule Thimble_Kill_Script meta: description = "Detects potential EDR kill scripts" author = "Security Researcher" date = "2025-03-01" strings: $kill1 = "taskkill /f /im" ascii wide $kill2 = "Stop-Process -Name" ascii wide $kill3 = "Set-MpPreference -DisableRealtimeMonitoring" ascii wide $kill4 = "net stop WinDefend" ascii wide $kill5 = "sc stop" ascii wide $download1 = "Invoke-WebRequest" ascii wide $download2 = "wget " ascii wide $selfdel = "del /f /q %~f0" ascii wide condition: ( ($kill1 or $kill2 or $kill3 or $kill4 or $kill5) and ($download1 or $download2) ) or $selfdel

With that information, I can help you:

It looks like you're looking for a "Thimble Kill Script." While "Thimble" is often associated with Mozilla Thimble Thimble Kill Script File Zip

A common trick seen with "kill scripts" is naming the file Thimble_Kill_Script.txt.exe inside the zip. The icon may be a text file icon (via resource editing), tricking the user into thinking it is safe. Thimble Kill Script File Zip