Attackers may be attempting to exploit SEH vectored exceptions to execute arbitrary code, leveraging this technique to bypass standard mitigation strategies. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that evade traditional detection mechanisms.
YARA Rule
rule SEH__vectored : AntiDebug SEH {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = "AddVectoredExceptionHandler"
$ = "RemoveVectoredExceptionHandler"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Windows Update installation using wuauclt.exe
Filter/Exclusion: process.name != "wuauclt.exe" or process.parent.name != "svchost.exe"
Scenario: Scheduled Task running a legitimate script (e.g., powershell.exe executing a maintenance script)
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "schtasks.exe"
Scenario: Microsoft Edge or Internet Explorer handling a legitimate JavaScript or ActiveX control
Filter/Exclusion: process.name != "msedge.exe" and process.name != "iexplore.exe"
Scenario: System File Checker (SFC) or DISM running during system maintenance
Filter/Exclusion: process.name != "dism.exe" or process.name != "sfcos.exe"
Scenario: Antivirus or endpoint protection software performing a scan (e.g., mpcmdrun.exe from Microsoft Defender)
Filter/Exclusion: process.name != "mpcmdrun.exe" or process.parent.name != "svchost.exe"