(YARA) YARA_SUSP_Direct_Syscall_Shellcode_Invocation
rule SUSP_Direct_Syscall_Shellcode_Invocation_Jan24 {
meta:
description = "Detects direct syscall evasion technqiue using NtProtectVirtualMemory to invoke shellcode"
author = "Jonathan Peters"
date = "2024-01-14"
reference = "https://unprotect.it/technique/evasion-using-direct-syscalls/"
hash = "f7cd214e7460c539d6f8d02b6650098e3983862ff658b76ea02c33f5a45fc836"
score = 65
strings:
$ = { B8 40 00 00 00 67 4C 8D 08 49 89 CA 48 C7 C0 50 00 00 00 0F 05 [4-8] 4C 8D 3D 02 00 00 00 FF E0 }
condition:
all of them and
filesize < 2MB
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Evasion using direct Syscalls | U0521 |
Created
January 14, 2024
Last Revised
January 14, 2024