The hypothesis is that the detection rule identifies potential adversary use of the RDTSC instruction in conjunction with debugger patterns, which may indicate attempts to bypass system monitoring or extract timing-based information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify stealthy adversaries leveraging low-level CPU instructions to evade detection and exfiltrate data covertly.
YARA Rule
rule DebuggerPattern__RDTSC : AntiDebug DebuggerPattern {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = {0F 31}
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using GDB (GNU Debugger) to debug a custom application during a scheduled maintenance window.
Filter/Exclusion: Exclude processes where the process name matches gdb and the parent process is a known system admin tool (e.g., task scheduler, psadmin, or psexec).
Scenario: A security analyst is using OllyDbg to analyze a suspicious binary as part of an incident response investigation.
Filter/Exclusion: Exclude processes where the process name matches ollydbg.exe and the user is a member of the Security Analysts group or has a specific role in the SIEM system.
Scenario: A scheduled job runs a script that uses Process Monitor (ProcMon) to monitor file system activity for compliance auditing.
Filter/Exclusion: Exclude processes where the process name matches procmon.exe and the job is scheduled under a known compliance tool (e.g., ComplianceAuditJob).
Scenario: A developer is using Visual Studio with the debugger attached to test a performance-critical application that uses RDTSC for timing.
Filter/Exclusion: Exclude processes where the process name matches devenv.exe and the parent process is a known development environment (e.g., VisualStudioDebugger or VisualStudioIDE).
Scenario: A database administrator is using SQL Profiler to monitor query performance, which may involve low-level timing operations.
Filter/Exclusion: Exclude processes where the process name matches sqlprofiler.exe and the user is a member of the DBA group or has a specific role in the database management system.