maldoc structured exception handling

Hunt Hypothesis

Malicious documents may use structured exception handling to bypass standard detection mechanisms by obfuscating their malicious behavior. SOC teams should proactively hunt for this technique in Azure Sentinel to identify potential malware that evades traditional detection methods.

YARA Rule

rule maldoc_structured_exception_handling : maldoc
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
    strings:
        $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 00 00 00 00}
        $a2 = {64 A1 00 00 00 00}
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A legitimate scheduled job using PowerShell to handle exceptions during system cleanup
  Filter/Exclusion: process.name == "schtasks.exe" || process.name == "powershell.exe" && (process.args contains "Cleanup" || process.args contains "maintenance")

• Scenario: A system administrator using a script to handle exceptions while deploying updates via Group Policy
  Filter/Exclusion: process.name == "gpupdate.exe" || process.name == "powershell.exe" && (process.args contains "GroupPolicy" || process.args contains "update")

• Scenario: A legitimate application using structured exception handling during normal operations (e.g., Microsoft Office or Visual Studio)
  Filter/Exclusion: process.name contains "Microsoft" || process.name contains "VisualStudio" || process.name contains "Office" && (process.args contains "normal" || process.args contains "safe")

• Scenario: A backup tool using exception handling to manage errors during data transfer
  Filter/Exclusion: process.name == "wbadmin.exe" || process.name == "vssadmin.exe" || process.name == "backup.exe" && (process.args contains "backup" || process.args contains "restore")

• Scenario: A legitimate system service using exception handling to manage unexpected errors (e.g., Windows Event Log service)
  Filter/Exclusion: process.name == "eventlog.exe" || process.name == "eventvwr.exe" || process.name == "svchost.exe" && (process.args contains "event" || process.args contains "log")