(YARA) YARA_detect_tlscallback

Download Raw 

rule detect_tlscallback {
    meta:
        description = "Simple rule to detect tls callback as anti-debug."
        author = "Thomas Roccia | @fr0gger_"
    strings:
        $str1 = "TLS_CALLBACK" nocase
        $str2 = "TLScallback" nocase
    condition:
        uint32(uint32(0x3C)) == 0x4550 and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
TLS Callback U0124

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
hello.exe 8 2024-12-27 3 months, 4 weeks ago
test.exe 7 2024-12-06 4 months, 2 weeks ago
EDR Silencer 1.4.exe 8 2024-11-29 4 months, 4 weeks ago
Xulytaikhoan.xlsx 14 2024-11-26 5 months ago
EDRSilencer.exe 9 2024-11-14 5 months, 1 week ago
nop_check_final.exe 8 2024-11-13 5 months, 1 week ago
View All
Created

June 20, 2022

Last Revised

June 20, 2022