The DebuggerCheck PEB rule detects potential adversary attempts to check for debugger presence by inspecting the Process Environment Block, which may indicate evasion techniques used to avoid detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage persistence or evasion tactics that could signal a more advanced threat.
YARA Rule
rule DebuggerCheck__PEB : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="IsDebugged"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Process Explorer to inspect the PEB of a legitimate process for troubleshooting.
Filter/Exclusion: Exclude processes where the parent process is explorer.exe or taskmgr.exe and the process name is a known system tool.
Scenario: A scheduled job runs a script that temporarily attaches a debugger (e.g., GDB) to a process for memory analysis.
Filter/Exclusion: Exclude processes where the process name matches a known scheduled task or where the parent process is a system service like schtasks.exe.
Scenario: A security tool such as ProcMon or Wireshark is running and interacting with the PEB for monitoring purposes.
Filter/Exclusion: Exclude processes with names like procmon.exe, ProcMon.exe, or Wireshark.exe and where the process is known to be part of the security toolset.
Scenario: A Windows Update or Group Policy client service is running and temporarily modifies the PEB during configuration.
Filter/Exclusion: Exclude processes where the process name is svchost.exe and the service name is wuauserv or gpsvc.
Scenario: A developer is using Visual Studio or WinDbg to debug a local application during development.
Filter/Exclusion: Exclude processes where the parent process is devenv.exe or dbgcore.exe and the process is associated with a known development environment.