Bypass DEP

Hunt Hypothesis

The Bypass DEP rule detects potential attempts by adversaries to circumvent Data Execution Prevention mechanisms, which could indicate efforts to execute arbitrary code in memory. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malware or advanced persistent threats that may evade standard detection controls.

YARA Rule

rule disable_dep {
    meta:
        author = "x0r"
        description = "Bypass DEP"
	version = "0.1"
    strings:
        $c1 = "EnableExecuteProtectionSupport"
        $c2 = "NtSetInformationProcess"
        $c3 = "VirtualProctectEx"
        $c4 = "SetProcessDEPPolicy"
        $c5 = "ZwProtectVirtualMemory"
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Windows Update installation
  Description: Windows Update may trigger the Bypass DEP detection logic during installation due to the use of memory-mapped files or other memory-related operations.
  Filter/Exclusion: Check the process name (ImageFileName) for svchost.exe or wuauserv.exe and filter based on the parent process or command line arguments.

• Scenario: Scheduled Task running a legitimate executable
  Description: A scheduled task may execute a legitimate application that temporarily bypasses DEP for specific operations (e.g., memory-mapped files or direct memory access).
  Filter/Exclusion: Filter by the task name or user context using the TaskName or User fields in the event log or process tree.

• Scenario: System File Checker (SFC) scan
  Description: During an SFC scan, the system may load or modify memory-mapped files, which could trigger the Bypass DEP rule.
  Filter/Exclusion: Check for the presence of sfc.exe in the process tree or filter based on the command line argument sfc /scannow.

• Scenario: Antivirus or EDR memory scanning
  Description: Some antivirus or EDR tools perform memory scans that may involve memory-mapped files or direct memory access, which could be flagged by the Bypass DEP rule.
  Filter/Exclusion: Filter by the process name (ImageFileName) such as mpsvc.exe, mfe5000.exe, or avastui.exe.

• Scenario: PowerShell script using memory-mapped files
  Description: A legitimate PowerShell script may use memory-mapped files for performance or data handling, which could be misinterpreted as bypassing DEP.
  Filter/Exclusion: Check the command line arguments for `powershell.exe