Adversaries may attempt to detect if their process is being debugged to evade detection or manipulate behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and early-stage compromises.
YARA Rule
rule anti_dbg {
meta:
author = "x0r"
description = "Checks if being debugged"
version = "0.2"
strings:
$d1 = "Kernel32.dll" nocase
$c1 = "CheckRemoteDebuggerPresent"
$c2 = "IsDebuggerPresent"
$c3 = "OutputDebugString"
$c4 = "ContinueDebugEvent"
$c5 = "DebugActiveProcess"
condition:
$d1 and 1 of ($c*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: System administrator using a debugger tool for troubleshooting a crashing application
Filter/Exclusion: Exclude processes associated with known debugging tools like gdb, windbg, or x64dbg by checking the process name or command line arguments.
Scenario: Scheduled job running a diagnostic script that temporarily attaches to a process for logging purposes
Filter/Exclusion: Exclude processes with command lines containing keywords like diag, log, or monitor, or filter by specific user accounts used for scheduled tasks.
Scenario: Security tool or endpoint protection software performing a memory analysis or integrity check
Filter/Exclusion: Exclude processes from known security tools like Microsoft Defender, Malwarebytes, or Bitdefender by checking the process name or parent process.
Scenario: Development environment where a developer is using a debugger to test a local application
Filter/Exclusion: Exclude processes running under a specific development user account or those with command lines containing debug, test, or dev.
Scenario: Automated testing framework that uses a debugger to simulate user interaction during test runs
Filter/Exclusion: Exclude processes associated with testing frameworks like Selenium, JMeter, or Postman by checking the process name or parent process.