The DebuggerPattern CPUID rule detects potential use of a debugger to manipulate CPUID instructions, which may indicate adversarial behavior aimed at bypassing code integrity checks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and early-stage malware activity.
YARA Rule
rule DebuggerPattern__CPUID : AntiDebug DebuggerPattern {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = {0F A2}
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Process Explorer or Process Hacker to debug a problematic service.
Filter/Exclusion: Exclude processes with Process Explorer.exe or ProcessHacker.exe in their name.
Scenario: A scheduled job runs Windows Debugger (WinDbg) to analyze crash dumps from a production server.
Filter/Exclusion: Exclude processes with WinDbg.exe or crashdump.exe in their name, or filter by specific job names.
Scenario: A developer is using Visual Studio with the debugger attached to a local application during testing.
Filter/Exclusion: Exclude processes with devenv.exe or VisualStudio.exe in their name, or filter by user account (e.g., dev user).
Scenario: A security tool like Sysmon or Windows Defender is using a debugger for internal analysis or threat hunting.
Filter/Exclusion: Exclude processes with Sysmon.exe, MsMpEng.exe, or WindowsDefender.exe in their name.
Scenario: A system update or patching task uses PsExec or PSTools to run a process with a debugger for compatibility checks.
Filter/Exclusion: Exclude processes launched via PsExec.exe or psexec.exe, or filter by known patching tools.