Check unhandledExceptionFiler iat

Hunt Hypothesis

The hypothesis is that an adversary may be using a custom unhandled exception file to execute arbitrary code or evade detection by manipulating the Image Address Table (IAT) in memory. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential malware or advanced persistent threats that leverage memory corruption techniques to persist or execute malicious payloads.

YARA Rule

rule Check_unhandledExceptionFiler_iat {

	meta:
		Author = "http://twitter.com/j0sm1"
		Description = "it's checked if UnhandledExceptionFilter is imported"
		Date = "20/04/2015"
		Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter"

	condition:
		pe.imports("kernel32.dll","UnhandledExceptionFilter")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Windows Event Log Cleanup Tool Execution
  Description: A legitimate log cleanup tool (e.g., eventvwr.exe or third-party log management software) may trigger the rule due to file system activity or exception handling during log rotation.
  Filter/Exclusion: Exclude processes associated with known log management tools (e.g., eventvwr.exe, logman.exe, or splunkforwarder.exe) using the process.name field.

• Scenario: Scheduled System Maintenance Task
  Description: A scheduled task (e.g., Task Scheduler or PowerShell script) performing system maintenance (e.g., disk cleanup, registry check) may trigger the rule due to file operations or exception handling.
  Filter/Exclusion: Exclude tasks with known maintenance names (e.g., Disk Cleanup, System Maintenance) using the task.name or process.name field.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Antivirus software (e.g., Windows Defender, McAfee, Kaspersky) may trigger the rule during a full system scan due to file access or exception handling.
  Filter/Exclusion: Exclude processes associated with antivirus tools (e.g., MsMpEng.exe, mcafeeww.exe, kavsvc.exe) using the process.name field.

• Scenario: Software Update or Patch Installation
  Description: A software update (e.g., Windows Update, Microsoft Endpoint Manager, or third-party patching tool) may trigger the rule during installation or rollback due to file system activity.
  Filter/Exclusion: Exclude processes related to update tools (e.g., wusa.exe, setup.exe, patchmgr.exe) using the process.name field.

• Scenario: Database Backup or Restore Operation
  *