maldoc getEIP method 4 | SOC Hunt Feed

Hunt Hypothesis

Malicious documents using the getEIP method may indicate the presence of embedded malicious code designed to execute arbitrary commands, making proactive hunting essential in Azure Sentinel to identify and mitigate potential threats early. SOC teams should prioritize this behavior as it could be a signature of advanced persistent threats leveraging document-based attack vectors to evade traditional detection methods.

YARA Rule

rule maldoc_getEIP_method_4 : maldoc
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
    strings:
        $a1 = {D9 EE D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
        $a2 = {D9 EE 9B D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: A legitimate system update or patching tool (e.g., Windows Update, SCCM) uses a method similar to getEIP during its execution.
Filter/Exclusion: Check for the presence of known update or patching tool hashes or process names in the event log or process tree.
Scenario: A scheduled system maintenance task (e.g., schtasks.exe) runs a script or executable that contains a method resembling getEIP due to code reuse or obfuscation.
Filter/Exclusion: Exclude processes associated with known system maintenance tasks or check for the presence of schtasks.exe in the process tree.
Scenario: A legitimate security tool (e.g., Microsoft Defender ATP, CrowdStrike Falcon) performs memory analysis or sandboxing techniques that may trigger the getEIP method.
Filter/Exclusion: Exclude processes related to known endpoint protection tools or use process name whitelisting for security software.
Scenario: A database backup or restore job (e.g., SQL Server Backup, Oracle RMAN) executes a script that includes a method with similar behavior to getEIP due to code structure.
Filter/Exclusion: Filter out processes related to database management systems or check for the presence of known backup/restore tool hashes.
Scenario: A legitimate administrative task (e.g., taskmgr.exe, regedit.exe) is used to modify registry keys or system settings, and the associated script or tool contains code that matches the getEIP method.
Filter/Exclusion: Exclude processes associated with standard administrative tools or use process name whitelisting for known administrative utilities.