Adversaries may use process memory working set size checks to detect debuggers and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential anti-debugging tactics used by advanced threats.
YARA Rule
rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck {
meta:
author = "Fernando Mercês"
date = "2015-06"
description = "Anti-debug process memory working set size check"
reference = "http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/"
condition:
pe.imports("kernel32.dll", "K32GetProcessMemoryInfo") and
pe.imports("kernel32.dll", "GetCurrentProcess")
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Process Explorer to manually inspect memory usage of a service process.
Filter/Exclusion: Exclude processes with ImageFileName containing “ProcessExplorer” or “procexp”.
Scenario: A Windows Update or Group Policy synchronization task is running, which temporarily increases memory usage.
Filter/Exclusion: Exclude processes with ImageFileName containing “wuau” or “gpol” (e.g., wuauclt.exe, gpolusr.exe).
Scenario: A scheduled backup job (e.g., using Veeam Backup & Replication) is executing and uses a large amount of memory.
Filter/Exclusion: Exclude processes with ImageFileName containing “Veeam” or “backup”.
Scenario: A developer is using Visual Studio with a large solution file open, which may cause memory spikes.
Filter/Exclusion: Exclude processes with ImageFileName containing “devenv” or “VisualStudio”.
Scenario: A Windows Defender scan is in progress, which may temporarily increase memory usage for the antivirus process.
Filter/Exclusion: Exclude processes with ImageFileName containing “WindowsDefender” or “MsMpEng”.