DebuggerException ConsoleCtrl

Hunt Hypothesis

The DebuggerException ConsoleCtrl rule detects potential attempts by adversaries to bypass debugging mechanisms and suppress console control signals, which could indicate evasion of forensic analysis or process injection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or evasion tactics that may go undetected by standard monitoring tools.

YARA Rule

rule DebuggerException__ConsoleCtrl : AntiDebug DebuggerException {
	meta:
		weight = 1
		Author = "naxonez"
		reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
	strings:
		$ ="GenerateConsoleCtrlEvent"
	condition:
		any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

References

• https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
• Source Rule

False Positive Guidance

• Scenario: Legitimate Debugging Session
  Description: A developer is using Visual Studio or GDB to debug a critical application.
  Filter/Exclusion: Exclude processes where the executable is a known debugger (e.g., devenv.exe, gdb.exe) or where the parent process is a development tool.

• Scenario: Scheduled System Maintenance Task
  Description: A Windows Task Scheduler job is running a script that temporarily triggers a console control event (e.g., taskkill or shutdown command).
  Filter/Exclusion: Exclude events where the process is associated with the Task Scheduler service (svchost.exe or taskschd.exe) or where the command line includes known maintenance commands.

• Scenario: Admin Using Ctrl+C/V in Console
  Description: An administrator is using Command Prompt or PowerShell to manually control a running process (e.g., using Ctrl+C to stop a process).
  Filter/Exclusion: Exclude events where the process is a terminal emulator (e.g., cmd.exe, powershell.exe) and the parent process is a legitimate admin tool.

• Scenario: Log Collection Tool Generating Console Events
  Description: A log collection tool like Splunk Universal Forwarder or Fluentd is interacting with the console to manage log streams.
  Filter/Exclusion: Exclude processes where the executable is a known log collector (e.g., splunkforwarder.exe, fluentd.exe) or where the event is related to log configuration changes.

• Scenario: Automated Script Triggering Console Ctrl Events
  Description: A PowerShell script or batch file is designed to handle console signals (e.g., Stop-Process or exit).
  *Filter/Ex