maldoc find kernel32 base method 2

Hunt Hypothesis

Malicious documents may attempt to locate the kernel32 base address in memory using indirect methods to evade standard detection, indicating potential code injection or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify advanced threats that bypass traditional memory scanning techniques.

YARA Rule

rule maldoc_find_kernel32_base_method_2 : maldoc
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
    strings:
        $a = {31 ?? ?? 30 64 8B ??}
    condition:
        for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Windows Update Installer (wuauclt.exe)
  Description: The Windows Update installer may load kernel32.dll and use methods that match the YARA rule due to its system-level operations.
  Filter/Exclusion: Exclude processes with ImageFileName == "wuauclt.exe" or ProcessName == "C:\Windows\System32\wuauclt.exe"

• Scenario: Scheduled Task Running System Maintenance
  Description: A legitimate scheduled task (e.g., Task Scheduler) may execute scripts or tools that interact with kernel32.dll in a way that triggers the rule.
  Filter/Exclusion: Exclude processes with ProcessName == "C:\Windows\System32\taskhost.exe" or CommandLine contains "schtasks.exe"

• Scenario: Microsoft System Configuration Tool (msconfig.exe)
  Description: The msconfig.exe tool, used for system configuration, may load kernel32.dll and use methods that match the rule.
  Filter/Exclusion: Exclude processes with ImageFileName == "msconfig.exe" or ProcessName == "C:\Windows\System32\msconfig.exe"

• Scenario: PowerShell Script Running Administrative Tasks
  Description: A PowerShell script performing administrative tasks (e.g., registry edits, service management) may load kernel32.dll and trigger the rule.
  Filter/Exclusion: Exclude processes with ProcessName == "powershell.exe" and CommandLine contains " -Command" or check for known benign scripts in a trusted directory.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Antivirus tools like Microsoft Defender or Kaspersky may load kernel32.dll during a scan and use methods that match the rule.
  Filter/Exclusion: Exclude processes with `ProcessName == “mpsvr.exe