The DebuggerCheck QueryInfo rule detects potential adversary use of debugger checks to evade detection by querying system information for signs of debugging tools. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify advanced persistence or evasion tactics that may indicate a deeper compromise.
YARA Rule
rule DebuggerCheck__QueryInfo : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="QueryInformationProcess"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: System administrators using Process Explorer to monitor processes
Filter/Exclusion: Exclude processes with ImageLoaded containing procexp.exe or process.exe (Process Explorer).
Scenario: Scheduled job running a diagnostic script with QueryInfo
Filter/Exclusion: Exclude processes with ImageLoaded containing powershell.exe and command line arguments including -Command or -File pointing to a known diagnostic script.
Scenario: Antivirus or endpoint protection tools performing system checks
Filter/Exclusion: Exclude processes with ImageLoaded containing avg.exe, mcafee.exe, bitdefender.exe, or similar vendor-specific binaries.
Scenario: Windows Task Scheduler running a legitimate system maintenance task
Filter/Exclusion: Exclude processes with ImageLoaded containing schtasks.exe or taskhost.exe and associated with a known scheduled task name.
Scenario: Database administrators querying system information for performance tuning
Filter/Exclusion: Exclude processes with ImageLoaded containing sqlservr.exe or sqlcmd.exe and associated with a known database maintenance task.