(YARA) YARA_detect_tlscallback
rule detect_tlscallback {
meta:
description = "Simple rule to detect tls callback as anti-debug."
author = "Thomas Roccia | @fr0gger_"
strings:
$str1 = "TLS_CALLBACK" nocase
$str2 = "TLScallback" nocase
condition:
uint32(uint32(0x3C)) == 0x4550 and any of them
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
TLS Callback | U0124 |
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
test.exe | 7 | 2024-12-06 | 5 hours, 38 minutes ago |
EDR Silencer 1.4.exe | 8 | 2024-11-29 | 1 week ago |
Xulytaikhoan.xlsx | 14 | 2024-11-26 | 1 week, 3 days ago |
EDRSilencer.exe | 9 | 2024-11-14 | 3 weeks, 1 day ago |
nop_check_final.exe | 8 | 2024-11-13 | 3 weeks, 1 day ago |
Created
June 20, 2022
Last Revised
June 20, 2022