Adversaries may use debugger hiding techniques to evade detection by masking their malicious threads within legitimate processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or evasion tactics early in the attack lifecycle.
YARA Rule
rule DebuggerHiding__Thread : AntiDebug DebuggerHiding {
meta:
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
weight = 1
strings:
$ ="SetInformationThread"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using GDB (GNU Debugger) to debug a critical application during an incident response.
Filter/Exclusion: process.name != "gdb" or process.parent.name != "gdb"
Scenario: A scheduled job runs a script that uses Process Monitor (ProcMon) to monitor file system activity for troubleshooting.
Filter/Exclusion: process.name != "procmon" or process.parent.name != "procmon"
Scenario: A developer is using Visual Studio with the debugger attached to a local process for code testing.
Filter/Exclusion: process.name != "devenv" or process.parent.name != "devenv"
Scenario: A security tool like Windows Defender or Microsoft Endpoint Detection and Response (EDR) is using a debugger internally to analyze suspicious processes.
Filter/Exclusion: process.name in ("msmpeng.exe", "mfev.exe") or process.parent.name in ("msmpeng.exe", "mfev.exe")
Scenario: A system update or patching tool like Windows Update or SCCM (System Center Configuration Manager) temporarily attaches a debugger to a process during deployment.
Filter/Exclusion: process.name in ("svchost.exe", "wuauserv.exe", "ccmexec.exe") or process.parent.name in ("svchost.exe", "wuauserv.exe", "ccmexec.exe")