SEH v3

Hunt Hypothesis

The SEH v3 rule detects potential exploitation of stack-based buffer overflow vulnerabilities through specific memory pattern signatures, which may indicate the presence of malicious code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage attacks that could lead to persistent or lateral movement within the network.

YARA Rule

rule SEH__v3 : AntiDebug SEH {
	meta:
		weight = 1
		Author = "naxonez"
		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
	strings:
		$ = "____except__handler3"
		$ = "____local__unwind3"
	condition:
		any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
• Source Rule

False Positive Guidance

• Scenario: Windows Update installation via Group Policy
  Filter/Exclusion: process.name != "wuauclt.exe" or process.parent.name != "services.exe"

• Scenario: Scheduled System File Checker (SFC) scan
  Filter/Exclusion: process.name != "sfcos.exe" or process.parent.name != "services.exe"

• Scenario: Microsoft Defender Antivirus scan initiated by the system
  Filter/Exclusion: process.name != "msascui.exe" or process.parent.name != "services.exe"

• Scenario: Admin task to modify registry settings using reg.exe
  Filter/Exclusion: process.name != "reg.exe" or process.parent.name != "services.exe"

• Scenario: PowerShell script running as part of a routine system maintenance task
  Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "services.exe"