From 68c956b0703416c5ba06405ee06908aabd23a090 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Wed, 28 Jan 2026 11:33:17 +0100
Subject: [PATCH] feat(rules): Add Thread context manipulation from exception
 handler rule

Identifies attempts to manipulate thread context from inside the exception handler. Attackers can hijack execution as part of stealthy process injection or patchless AMSI bypass techniques.
---
 ...xt_manipulation_from_exception_handler.yml | 32 +++++++++++++++++++
 rules/macros/macros.yml                       |  3 ++
 2 files changed, 35 insertions(+)
 create mode 100644 rules/defense_evasion_thread_context_manipulation_from_exception_handler.yml

diff --git a/rules/defense_evasion_thread_context_manipulation_from_exception_handler.yml b/rules/defense_evasion_thread_context_manipulation_from_exception_handler.yml
new file mode 100644
index 000000000..ec659fb4f
--- /dev/null
+++ b/rules/defense_evasion_thread_context_manipulation_from_exception_handler.yml
@@ -0,0 +1,32 @@
+name: Thread context manipulation from exception handler
+id: 9e52cd07-b07a-4f2b-b326-cad8524401c8
+version: 1.0.0
+description: |
+  Identifies attempts to manipulate thread context from inside the exception handler.
+  Attackers can hijack execution as part of stealthy process injection or patchless
+  AMSI bypass techniques.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1055
+  technique.name: Process Injection
+  technique.ref: https://attack.mitre.org/techniques/T1055/
+references:
+  - https://www.crowdstrike.com/en-us/blog/crowdstrike-investigates-threat-of-patchless-amsi-bypass-attacks/
+
+condition: >
+  ((set_thread_context) or (set_thread_context_failed)) and
+  thread.callstack.symbols imatches ('ntdll.dll!KiUserExceptionDispatcher') and
+  ps.exe not imatches
+            (
+              '?:\\Windows\\System32\\wermgr.exe',
+              '?:\\Windows\\System32\\WerFault.exe',
+              '?:\\Windows\\System32\\taskhostw.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe'
+            )
+
+severity: high
+
+min-engine-version: 3.0.0
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index 21446518a..b16add747 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -73,6 +73,9 @@
 - macro: set_thread_context
   expr: evt.name = 'SetThreadContext' and evt.arg[status] = 'Success'
 
+- macro: set_thread_context_failed
+  expr: evt.name = 'SetThreadContext' and evt.arg[status] != 'Success'
+
 - macro: virtual_alloc
   expr: evt.name = 'VirtualAlloc'