The DebuggerException SetConsoleCtrl rule detects potential adversary attempts to bypass debugger detection by intercepting console control signals, which may indicate evasion of debugging and analysis tools. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware that is actively resisting forensic analysis and persistence mechanisms.
YARA Rule
rule DebuggerException__SetConsoleCtrl : AntiDebug DebuggerException {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="SetConsoleCtrlHandler"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Process Explorer or Process Hacker to debug a problematic service during routine maintenance.
Filter/Exclusion: Exclude processes where the parent process is a known administrative tool (e.g., taskmgr.exe, explorer.exe, or services.exe).
Scenario: A scheduled job runs a script that temporarily attaches a debugger (e.g., GDB or WinDbg) to a service for diagnostic purposes.
Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe or at.exe) or where the process name matches a known diagnostic tool.
Scenario: A developer is using Visual Studio with Debug Diagnostic Tools to analyze a crash dump of an application.
Filter/Exclusion: Exclude processes where the parent process is devenv.exe or where the process name matches a known development tool.
Scenario: A Windows Update or Group Policy client service is being debugged by a third-party monitoring tool during a system update.
Filter/Exclusion: Exclude processes where the process name is wuauclt.exe, gupdate.exe, or gpupdate.exe.
Scenario: A Windows Debugger (e.g., WinDbg) is used by a security team to analyze a suspicious process in a sandboxed environment.
Filter/Exclusion: Exclude processes running in a sandboxed environment (e.g., vmtoolsd.exe, qemu, or sandboxed_process.exe) or where the parent process is a known security tool.