Indirect function calls in malicious documents may indicate the use of evasion techniques to bypass standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware activity that evades traditional signature-based detection.
YARA Rule
rule maldoc_indirect_function_call_3 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B7 ?? ?? ?? ?? FF 57 ??}
condition:
$a
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled system maintenance task using schtasks.exe to run a legitimate script
Filter/Exclusion: process.name == "schtasks.exe" && process.args contains " /s" && process.args contains " /u"
Scenario: Administrative task using taskmgr.exe to configure scheduled tasks
Filter/Exclusion: process.name == "taskmgr.exe" && process.args contains "/s"
Scenario: PowerShell script executed via powershell.exe for routine system configuration
Filter/Exclusion: process.name == "powershell.exe" && process.args contains "-Command" && process.args contains "Get-WmiObject" || process.args contains "Get-Service"
Scenario: Antivirus or endpoint protection tool performing a full system scan using msmpeng.exe
Filter/Exclusion: process.name == "msmpeng.exe" && process.args contains "Scan" || process.args contains "FullScan"
Scenario: System update or patch deployment using wuauclt.exe or WindowsUpdate.exe
Filter/Exclusion: process.name == "wuauclt.exe" || process.name == "WindowsUpdate.exe" && process.args contains " /detectnow" || process.args contains " /updatenow"