Indirect function calls in malicious documents may indicate the use of obfuscation techniques to evade signature-based detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware activity that bypasses traditional detection methods.
YARA Rule
rule maldoc_indirect_function_call_2 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task Using PowerShell
Description: A legitimate scheduled task runs a PowerShell script that uses indirect function calls (e.g., Invoke-Command with a dynamically generated command string).
Filter/Exclusion: Check for execution context within the Task Scheduler service or filter by process name schtasks.exe or powershell.exe with command-line arguments containing schtasks.
Scenario: Admin Task Using WMI for System Monitoring
Description: An administrator uses WMI (Windows Management Instrumentation) to query system performance, which may involve indirect function calls via Win32_Process or similar classes.
Filter/Exclusion: Filter by process name wmic.exe or check for presence of WMI-related command-line arguments like /namespace or /node.
Scenario: Scripted Backup Job Using Robocopy
Description: A backup script uses robocopy with dynamic parameters, which may trigger indirect function calls during directory traversal or file copying operations.
Filter/Exclusion: Filter by process name robocopy.exe or check for command-line arguments containing backup, restore, or mirror.
Scenario: Log Collection via PowerShell with Export-CSV
Description: A log collection script uses Export-CSV to export logs, which may involve indirect function calls when dynamically building command strings.
Filter/Exclusion: Filter by process name powershell.exe with command-line arguments containing Export-CSV or log in the command line.
Scenario: Configuration Management Tool Using Indirect Function Calls
Description: A configuration management tool like Ansible or Puppet may use indirect function calls during playbook execution to dynamically invoke commands or modules.
Filter/Exclusion: Filter by process name ansible.exe or `puppet