(YARA) YARA_detect_tlscallback

Download Raw 

rule detect_tlscallback {
    meta:
        description = "Simple rule to detect tls callback as anti-debug."
        author = "Thomas Roccia | @fr0gger_"
    strings:
        $str1 = "TLS_CALLBACK" nocase
        $str2 = "TLScallback" nocase
    condition:
        uint32(uint32(0x3C)) == 0x4550 and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
TLS Callback U0124

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
EDRSilencer.exe 9 2024-11-14 1 week, 2 days ago
nop_check_final.exe 8 2024-11-13 1 week, 2 days ago
View All
Created

June 20, 2022

Last Revised

June 20, 2022