DebuggerCheck GlobalFlags

Hunt Hypothesis

The DebuggerCheck GlobalFlags rule detects potential attempts by adversaries to modify or bypass debugger detection mechanisms by altering global flags, which may indicate evasion of security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that are actively avoiding detection and persistence mechanisms.

YARA Rule

rule DebuggerCheck__GlobalFlags : AntiDebug DebuggerCheck {
	meta:
		weight = 1
		Author = "naxonez"
		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
	strings:
		$ ="NtGlobalFlags"
	condition:
		any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
• Source Rule

False Positive Guidance

• Scenario: System Debugger Enabled for Troubleshooting
  Description: A system administrator enables the debugger for troubleshooting a critical application crash.
  Filter/Exclusion: process.name != "debugger.exe" AND process.name != "cdb.exe" AND process.name != "windbg.exe"

• Scenario: Scheduled Job Using Debugging Tools for Log Analysis
  Description: A scheduled job runs a script using a debugger to analyze log files for error patterns.
  Filter/Exclusion: process.name != "ProcMon.exe" AND process.name != "x64dbg.exe" AND process.name != "ollydbg.exe"

• Scenario: Windows Update or Patching Process
  Description: The Windows Update service or a patching tool temporarily uses debugging flags during installation.
  Filter/Exclusion: process.name == "svchost.exe" OR process.name == "wuauserv.exe" OR process.name == "setup.exe"

• Scenario: Antivirus or Endpoint Protection Debugging
  Description: An endpoint protection tool uses debugging flags for internal diagnostics or signature loading.
  Filter/Exclusion: process.name == "mpsvc.exe" OR process.name == "mpengine.exe" OR process.name == "avastui.exe"

• Scenario: Development Environment with Debugging Enabled
  Description: A developer’s environment (e.g., Visual Studio) runs with debugging flags enabled for local testing.
  Filter/Exclusion: process.name == "devenv.exe" OR process.name == "VisualStudio.exe" OR process.name == "vsdebugger.exe"