Adversaries may use debugger hiding techniques to evade detection by preventing debuggers from attaching to their processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or evasion tactics early in the attack lifecycle.
YARA Rule
rule DebuggerHiding__Active : AntiDebug DebuggerHiding {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="DebugActiveProcess"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Process Explorer to debug a problematic service.
Filter/Exclusion: Check for the presence of Process Explorer.exe in the process tree or filter out processes initiated by the admin account with known debugging tools.
Scenario: A scheduled job is running a GDB (GNU Debugger) script to analyze a crash dump for a production application.
Filter/Exclusion: Exclude processes that match the command line pattern gdb --examine or filter by the job name in the task scheduler.
Scenario: A developer is using Visual Studio with the debugger attached to a local application during development.
Filter/Exclusion: Filter out processes that have the VisualStudio.exe parent process or match the developer’s user account and machine name.
Scenario: A security tool like ProcMon (Process Monitor) is being used to monitor file system activity during an investigation.
Filter/Exclusion: Exclude processes with ProcMon.exe or ProcessMonitor.exe in the process name, or filter by the user account used for monitoring.
Scenario: A system update or patching tool like Windows Update is temporarily using a debugger to inspect a module during installation.
Filter/Exclusion: Exclude processes associated with wuauclt.exe or svchost.exe running under the System account during scheduled update times.