Bypass Record
Obfuscation / Packing × Elastic YARA rules
A publicly-reported instance of Obfuscation / Packing bypassing Elastic YARA rules, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
The tool generates patterns of simple x64 assembly instructions and their alternative encodings, then patches matching machine code in binaries. It also handles instructions with immediate values and applies alternative instruction encodings where possible. This changes the binary's byte signature to evade static signatures (YARA rules, AV signatures) while preserving functionality. It does not modify strings, imports, or API calls, so detection based on those remains possible.
Detection & mitigation
Detect by monitoring for binaries with unusual instruction patterns or high entropy in executable sections, and use behavior-based detection (e.g., EDR, process creation, network connections) since static signatures are bypassed. Mitigate by enforcing application control and allowlisting to prevent execution of modified binaries.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.