Indirect function calls in malicious documents may indicate the use of evasion techniques to bypass standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware activity that evades traditional signature-based detection.
YARA Rule
rule maldoc_indirect_function_call_1 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF 75 ?? FF 55 ??}
condition:
for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to run a scheduled job that invokes Invoke-Command with a script block containing a function call.
Filter/Exclusion: process.parent.name == "schtasks.exe" or process.name == "powershell.exe" and parent.name == "schtasks.exe"
Scenario: A DevOps engineer is using Ansible to execute a playbook that calls a module via a function, which is part of a standard CI/CD pipeline.
Filter/Exclusion: process.name == "ansible" and parent.name == "bash" or process.command_line contains "ansible-playbook"
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to execute a stored procedure that calls a function indirectly through a dynamic SQL query.
Filter/Exclusion: process.name == "sqlservr.exe" or process.name == "ssms.exe" and parent.name == "sqlservr.exe"
Scenario: A security analyst is using Wireshark to capture network traffic and runs a script that uses subprocess to call a function for packet analysis.
Filter/Exclusion: process.name == "wireshark.exe" or process.command_line contains "tshark"
Scenario: A developer is using Python to run a script that uses importlib to dynamically load and call a function from a module as part of a testing framework.
Filter/Exclusion: process.name == "python.exe" and parent.name == "pytest.exe" or process.command_line contains "pytest"