← Back to SOC feed Coverage →

SEH v4

yara LOW Yara-Rules 2026-03-19

community

This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at Yara-Rules →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

YARA rule: SEH__v4

YARA Rule

rule SEH__v4 : AntiDebug SEH {
    // VS 8.0+
	meta:
		weight = 1
		Author = "naxonez"
		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
	strings:
		$ = "____except__handler4"
		$ = "____local__unwind4"
		$ = "__XcptFilter"
	condition:
		any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

References

Original source: https://github.com/Yara-Rules/rules/blob/main/antidebug_antivm/antidebug_antivm.yar