The SEH_Init rule detects potential adversary behavior involving the initialization of Structured Exception Handling (SEH) chains, which may be used to manipulate exception handling and execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malware or advanced persistent threats that leverage SEH for evasion or persistence.
YARA Rule
rule SEH_Init : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH
{
meta:
author = "Malware Utkonos"
original_author = "naxonez"
source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$a = { 64 A3 00 00 00 00 }
$b = { 64 89 25 00 00 00 00 }
condition:
WindowsPE and ($a or $b)
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Windows Update installation using Windows Update Agent
Filter/Exclusion: process.name != "wuauserv.exe" or process.name != "svchost.exe"
Scenario: Scheduled Task running a legitimate script or application (e.g., Task Scheduler executing a PowerShell script)
Filter/Exclusion: process.name != "schtasks.exe" or process.name != "powershell.exe"
Scenario: System File Checker (SFC) scan initiated by the system
Filter/Exclusion: process.name != "sfcos.exe" or process.name != "cmd.exe"
Scenario: Microsoft Endpoint Configuration Manager (MECM) or SCCM deployment task
Filter/Exclusion: process.name != "ccmexec.exe" or process.name != "msiexec.exe"
Scenario: Antivirus or endpoint protection software performing a scan (e.g., Microsoft Defender, Bitdefender)
Filter/Exclusion: process.name != "MsMpEng.exe" or process != "mpsvc.exe"