Check Debugger | SOC Hunt Feed

Hunt Hypothesis

The Check Debugger rule detects potential adversary use of a debugger to bypass code protections or analyze malware behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of advanced persistent threats or malware evasion tactics.

YARA Rule

rule Check_Debugger
{
	meta:
		Author = "Nick Hoffman"
		Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent"
		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
	condition:
		pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
		pe.imports("kernel32.dll","IsDebuggerPresent")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints
Source Rule

False Positive Guidance

Scenario: System Debugger Enabled for Troubleshooting
Description: A system administrator enables the Windows Debugger (e.g., debugger.exe) temporarily to troubleshoot a critical application crash.
Filter/Exclusion: process.name != "debugger.exe" OR process.parent.name == "explorer.exe" AND process.name == "debugger.exe"
Scenario: Scheduled Job Using Debugging Tools
Description: A scheduled task runs a legitimate debugging tool (e.g., gdb, windbg) as part of a regular maintenance or log analysis process.
Filter/Exclusion: process.name == "gdb" AND process.parent.name == "schtasks.exe" OR process.name == "windbg.exe" AND process.parent.name == "schtasks.exe"
Scenario: Admin Task Using Debugging for Patch Testing
Description: An administrator uses a debugger (e.g., x64dbg, OllyDbg) to test a software patch in a controlled environment.
Filter/Exclusion: process.name == "x64dbg.exe" AND process.parent.name == "cmd.exe" OR process.name == "ollydbg.exe" AND process.parent.name == "powershell.exe"
Scenario: Security Tool or EDR Agent Using Debugging Capabilities
Description: A security tool (e.g., CrowdStrike, Microsoft Defender ATP) uses internal debugging mechanisms to monitor system behavior.
Filter/Exclusion: process.name == "mpsvc.exe" OR process.name == "cswrapper.exe" OR process.name == "MsMpEng.exe"
Scenario: Development Environment with Debugging Tools
Description: A developer’s workstation has debugging tools (e.g., gdb, Visual Studio Debugger) installed and used regularly for