maldoc find kernel32 base method 3

Hunt Hypothesis

Malicious documents may use a specific method to locate the kernel32 base address in memory, which could indicate evasion of standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threat activity that may bypass traditional defenses.

YARA Rule

rule maldoc_find_kernel32_base_method_3 : maldoc
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
    strings:
        $a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
    condition:
        for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Windows Update Service Execution
  Description: The Windows Update service may load kernel32.dll as part of its normal operation, which could trigger the rule due to the presence of kernel32 in memory.
  Filter/Exclusion: Exclude processes associated with svchost.exe and wuauserv (Windows Update service).

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task, such as disk defragmentation or system cleanup, may load kernel32.dll and use methods that match the detection logic.
  Filter/Exclusion: Exclude processes with Task Scheduler or schtasks.exe in their command line or parent process chain.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Antivirus tools like Microsoft Defender, Kaspersky, or Bitdefender may load kernel32.dll during a full system scan, triggering the rule.
  Filter/Exclusion: Exclude processes with mpcmdrun.exe, mrt.exe, or avgnt.exe (depending on the AV tool).

• Scenario: PowerShell Script Execution
  Description: A legitimate PowerShell script may load kernel32.dll via Add-Type or DllImport, which could be flagged by the rule.
  Filter/Exclusion: Exclude processes with powershell.exe and check for System.Management.Automation in the process name or command line.

• Scenario: System File Checker (SFC) or DISM Scan
  Description: The sfc /scannow or DISM command may load kernel32.dll as part of system integrity checks, causing a false positive.
  Filter/Exclusion: Exclude processes with sfcos.exe or dism.exe in