(YARA) YARA_detect_tlscallback
rule detect_tlscallback {
meta:
description = "Simple rule to detect tls callback as anti-debug."
author = "Thomas Roccia | @fr0gger_"
strings:
$str1 = "TLS_CALLBACK" nocase
$str2 = "TLScallback" nocase
condition:
uint32(uint32(0x3C)) == 0x4550 and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| TLS Callback | U0124 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| hello.exe | 8 | 2024-12-27 | 3 months, 3 weeks ago |
| test.exe | 7 | 2024-12-06 | 4 months, 1 week ago |
| EDR Silencer 1.4.exe | 8 | 2024-11-29 | 4 months, 2 weeks ago |
| Xulytaikhoan.xlsx | 14 | 2024-11-26 | 4 months, 3 weeks ago |
| EDRSilencer.exe | 9 | 2024-11-14 | 5 months ago |
| nop_check_final.exe | 8 | 2024-11-13 | 5 months ago |
Created
June 20, 2022
Last Revised
June 20, 2022