Affect hook table

Hunt Hypothesis

The Affect hook table rule detects potential modification of system hook tables, which could indicate an adversary attempting to alter process behavior or evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage persistence or privilege escalation tactics that may not be captured by traditional detection methods.

YARA Rule

rule win_hook {
    meta:
        author = "x0r"
        description = "Affect hook table"
    version = "0.1"
    strings:
        $f1 = "user32.dll" nocase
        $c1 = "UnhookWindowsHookEx"
        $c2 = "SetWindowsHookExA"
        $c3 = "CallNextHookEx"
    condition:
        $f1 and 1 of ($c*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update or patching using Windows Update
  Filter/Exclusion: Check for ProcessName containing wuauclt.exe or WindowsUpdate.exe
  Rationale: Windows Update may interact with the hook table during installation, triggering the rule falsely.

• Scenario: Scheduled job running PowerShell scripts for system maintenance
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for known maintenance scripts or paths like C:\Windows\System32\
  Rationale: PowerShell scripts used for system cleanup or configuration may interact with hook tables.

• Scenario: Group Policy Object (GPO) processing or refresh
  Filter/Exclusion: Check for ProcessName containing gpupdate.exe or services.exe with ServiceName gpsvc
  Rationale: GPO refresh can cause system-wide changes that may affect hook tables.

• Scenario: Task Scheduler executing a legitimate administrative task
  Filter/Exclusion: Filter by ProcessName containing schtasks.exe or check for scheduled tasks with known names like DailyBackup or SystemCheck
  Rationale: Scheduled tasks may perform actions that temporarily modify hook tables.

• Scenario: Windows Defender or Microsoft Defender ATP performing a full system scan
  Filter/Exclusion: Check for ProcessName containing MsMpEng.exe or WindowsDefenderATP.exe
  Rationale: Antivirus scans can interact with system hooks during deep file inspection.