SEH Save

Hunt Hypothesis

The SEH_Save rule detects potential memory corruption attempts by adversaries leveraging Structured Exception Handling (SEH) mechanisms to manipulate program execution flow. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malware or advanced persistent threats that may evade traditional detection methods.

YARA Rule

rule SEH_Save : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH
{
    meta:
        author = "Malware Utkonos"
        original_author = "naxonez"
        source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
    strings:
        $a = { 64 ff 35 00 00 00 00 }
    condition:
        WindowsPE and $a
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a system cleanup or disk defragmentation tool that temporarily modifies the SEH (Structured Exception Handling) chain.
  Filter/Exclusion: process.name == "defrag.exe" OR process.name == "cleanmgr.exe" OR process.name == "taskhost.exe"

• Scenario: Antivirus Real-Time Scanning
  Description: Antivirus software like Kaspersky, Bitdefender, or Malwarebytes may modify memory structures during real-time scanning, triggering the SEH_Save rule.
  Filter/Exclusion: process.name == "kavsvc.exe" OR process.name == "mbam.exe" OR process.name == "bdagent.exe"

• Scenario: Windows Update or Patching Process
  Description: During Windows Update or patching operations, system processes like wusa.exe or msiexec.exe may alter memory structures, leading to false positives.
  Filter/Exclusion: process.name == "wusa.exe" OR process.name == "msiexec.exe" OR process.name == "setup.exe"

• Scenario: PowerShell Script with Memory Manipulation
  Description: A legitimate PowerShell script using advanced memory manipulation techniques (e.g., for debugging or testing) may trigger the SEH_Save rule.
  Filter/Exclusion: process.name == "powershell.exe" AND (command_line contains "Debug" OR command_line contains "Test")

• Scenario: Enterprise Application with Memory Corruption
  Description: A known enterprise application (e.g., SQL Server, Exchange, or IIS) may have memory corruption issues that mimic SEH_Save behavior.
  Filter/Exclusion: `process.name == “sqlservr.exe” OR process.name == “msexch.exe” OR process