signature-base/yara/gen_event_mute_hook.yar

rule SUSP_Hunt_EvtMuteHook_Memory {
    meta:
        description = "Memory hunt for default wevtsv EtwEventCallback hook pattern to apply to eventlog svchost memory dump"
        reference = "https://blog.dylan.codes/pwning-windows-event-logging/"
        author = "SBousseaden"
        date = "2020-09-05"
        score = 70
    strings:
        $a = {49 BB ?? ?? ?? ?? ?? ?? ?? ?? 41 FF E3 54 24 20 4C 8B 05 61 CB 1A 00 0F 57 C0 66 0F 7F 44 24 20 E8 5B 0A 00 00 48 83 C4 38 C3}
        $b = {48 83 EC 38 4C 8B 0D 65 CB 1A 00 48 8D 54 24 20 4C 8B 05 61 CB 1A 00 0F 57 C0 66 0F 7F 44 24 20 E8 5B 0A 00 00 48 83 C4 38 C3}
    condition: 
        $a and not $b
}