The SEH v4 rule detects potential exploitation of stack-based buffer overflow vulnerabilities through specific memory pattern signatures, which may indicate the presence of malicious code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage attacks that leverage classic exploitation techniques often used in targeted campaigns.
YARA Rule
rule SEH__v4 : AntiDebug SEH {
// VS 8.0+
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = "____except__handler4"
$ = "____local__unwind4"
$ = "__XcptFilter"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A legitimate system update or patching process using Windows Update or Group Policy
Filter/Exclusion: Check for ProcessName containing wuauclt.exe or gupdate.exe, or filter by ParentProcessName matching services.exe or svchost.exe.
Scenario: A scheduled backup job using Veeam Backup & Replication or Commvault
Filter/Exclusion: Filter by ProcessName containing veeam.exe or cvbackup.exe, or check for CommandLine arguments related to backup operations.
Scenario: An administrator performing a Windows Registry cleanup or Group Policy editing
Filter/Exclusion: Filter by ProcessName containing regedit.exe or gpedit.msc, or check for CommandLine arguments involving registry paths or policy settings.
Scenario: A legitimate software installation using Chocolatey or WSL (Windows Subsystem for Linux)
Filter/Exclusion: Filter by ProcessName containing choco.exe or bash.exe, or check for CommandLine arguments related to package installation or Linux command execution.
Scenario: A system task such as Event Log cleanup or Disk Cleanup using Task Scheduler
Filter/Exclusion: Filter by ProcessName containing eventvwr.exe or cleanmgr.exe, or check for ParentProcessName matching TaskScheduler or services.exe.