diff --git a/analyzer/windows/data/yara/PrivateLoader.yar b/analyzer/windows/data/yara/PrivateLoader.yar new file mode 100644 index 00000000000..18ad22fc210 --- /dev/null +++ b/analyzer/windows/data/yara/PrivateLoader.yar @@ -0,0 +1,12 @@ +rule PrivateLoader +{ + meta: + author = "kevoreilly" + description = "PrivateLoader indirect syscall capture" + cape_options = "clear,sysbp=$syscall*-2" + packed = "075d0dafd7b794fbabaf53d38895cfd7cffed4a3fe093b0fc7853f3b3ce642a4" + strings: + $syscall = {48 31 C0 4C 8B 19 8B 41 10 48 8B 49 08 49 89 CA 41 FF E3} + condition: + any of them +} diff --git a/changelog.md b/changelog.md index b9707d41aaf..eadbd064d4e 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,6 @@ ### [04.10.2024] * Monitor update: Add GetClassObject hook to handle UAC bypass technique using CMSTPLUA COM object +* PrivateLoader direct syscall capture ### [01.10.2024] * Monitor update: Improve fix for size bug with unpacking embedded PEs