(YARA) YARA_detect_tlscallback

Download Raw 

rule detect_tlscallback {
    meta:
        description = "Simple rule to detect tls callback as anti-debug."
        author = "Thomas Roccia | @fr0gger_"
    strings:
        $str1 = "TLS_CALLBACK" nocase
        $str2 = "TLScallback" nocase
    condition:
        uint32(uint32(0x3C)) == 0x4550 and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
TLS Callback U0124

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
test.exe 7 2024-12-06 2 weeks, 6 days ago
EDR Silencer 1.4.exe 8 2024-11-29 3 weeks, 6 days ago
Xulytaikhoan.xlsx 14 2024-11-26 1 month ago
EDRSilencer.exe 9 2024-11-14 1 month, 1 week ago
nop_check_final.exe 8 2024-11-13 1 month, 1 week ago
View All
Created

June 20, 2022

Last Revised

June 20, 2022