The DebuggerCheck DrWatson rule detects potential adversary use of Dr. Watson to bypass debugger detection, indicating possible runtime analysis evasion. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that evade traditional detection mechanisms.
YARA Rule
rule DebuggerCheck__DrWatson : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="__invoke__watson"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Dr. Watson (DrWatson) is used for crash dump analysis on Windows servers.
Filter/Exclusion: Exclude processes where the executable path contains C:\Windows\System32\drwtsn32.exe or C:\Windows\System32\drwtsn32.exe is the parent process.
Scenario: Windows Debugger (WinDbg) is used by developers or support teams for troubleshooting application crashes.
Filter/Exclusion: Exclude processes where the parent process is C:\Windows\System32\ntsd.exe or the command line includes -c (for crash dump collection).
Scenario: Scheduled Task runs a diagnostic tool that temporarily loads DrWatson for crash analysis.
Filter/Exclusion: Exclude processes where the process name is drwtsn32.exe and the task is scheduled via Task Scheduler with a known task name or ID.
Scenario: System Update or Patching Tool uses DrWatson to capture crash dumps during installation.
Filter/Exclusion: Exclude processes where the executable path includes C:\Windows\System32\setup.exe or C:\Windows\System32\wusa.exe.
Scenario: Third-party diagnostic tool (e.g., Microsoft’s Application Verifier) uses DrWatson for crash reporting.
Filter/Exclusion: Exclude processes where the executable path includes C:\Windows\System32\verifier.exe or the command line includes -v (for verbose output).