check RaiseException iat

Hunt Hypothesis

The detection rule identifies potential code injection or memory corruption by monitoring the use of the RaiseException function in the Import Address Table, which may indicate malicious code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversaries leveraging low-level Windows API calls to evade traditional detection mechanisms.

YARA Rule

rule check_RaiseException_iat {

	meta:
		Author = "http://twitter.com/j0sm1"
		Description = "it's checked if RaiseException is imported"
		Date = "20/04/2015"
		Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html"

	condition:
		pe.imports("kernel32.dll","RaiseException")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Windows Update Installer
  Description: The RaiseException function is called during the installation of Windows updates, which is a legitimate system process.
  Filter/Exclusion: process.name == "wuauclt.exe" or process.name == "setup.exe"

• Scenario: Scheduled System Maintenance Task
  Description: A scheduled task (e.g., Task Scheduler) may trigger the RaiseException function as part of routine system maintenance or disk cleanup.
  Filter/Exclusion: process.name == "schtasks.exe" or process.name == "taskhost.exe"

• Scenario: Antivirus Signature Update
  Description: Antivirus software (e.g., Microsoft Defender, Kaspersky, Bitdefender) may call RaiseException during signature updates or integrity checks.
  Filter/Exclusion: process.name == "MsMpEng.exe" or process.name == "avgnt.exe"

• Scenario: PowerShell Script Execution
  Description: A legitimate PowerShell script may use RaiseException for error handling or debugging purposes.
  Filter/Exclusion: process.name == "powershell.exe" with a custom script name or path filter (e.g., script.file == "C:\Scripts\legit_script.ps1")

• Scenario: System File Checker (SFC) Scan
  Description: The sfc /scannow command may trigger RaiseException during file integrity checks.
  Filter/Exclusion: process.name == "dllhost.exe" or process.name == "svchost.exe" with command_line contains "sfc"