maldoc getEIP method 1 | SOC Hunt Feed

Hunt Hypothesis

The hypothesis is that the detection rule identifies malicious documents using a specific getEIP method, which may indicate the presence of malware leveraging memory corruption techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that may evade traditional detection mechanisms.

YARA Rule

rule maldoc_getEIP_method_1 : maldoc
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
    strings:
        $a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
    condition:
        $a
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: A legitimate system update or patching tool (e.g., Windows Update, SCCM) uses a method similar to getEIP during its execution.
Filter/Exclusion: Check for process parent or command line containing wuauclt.exe, ccmexec.exe, or msiexec.exe with known update-related arguments.
Scenario: A scheduled backup job (e.g., Veeam, Backup Exec) triggers a memory dump or analysis tool that matches the YARA signature.
Filter/Exclusion: Exclude processes with command lines containing backup, restore, or snapshot and verify the process is associated with a known backup tool.
Scenario: A system administrator runs a memory analysis tool (e.g., Volatility, Rekall) for incident response or forensic analysis.
Filter/Exclusion: Exclude processes with command lines containing volatility, rekall, or memory dump and ensure the user has elevated privileges or is part of the incident response team.
Scenario: A legitimate anti-virus or endpoint protection tool (e.g., CrowdStrike, Bitdefender) performs heuristic analysis and triggers the rule.
Filter/Exclusion: Exclude processes with parent or command line containing the AV tool’s executable name (e.g., cswd.exe, bdagent.exe) or check for known false positives in the tool’s documentation.
Scenario: A PowerShell script or command-line tool (e.g., PowerShell.exe, cmd.exe) is used for administrative tasks like log analysis or configuration changes and matches the YARA signature.
Filter/Exclusion: Exclude processes with command lines containing PowerShell, log, config, or audit, and verify the script is signed by a trusted source.