The DebuggerTiming PerformanceCounter rule detects potential adversary use of performance counters to measure and manipulate timing-based attacks, which could indicate evasion of detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistence or evasion tactics that may go undetected by traditional monitoring.
YARA Rule
rule DebuggerTiming__PerformanceCounter : AntiDebug DebuggerTiming {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="QueryPerformanceCounter"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Process Explorer or Process Hacker to debug a performance issue on a server.
Filter/Exclusion: Exclude processes associated with known debugging tools (e.g., procexp.exe, processhacker.exe) or add a condition to ignore processes running under the Administrators group when the process name matches a known debugging tool.
Scenario: A scheduled job runs PowerShell scripts that temporarily access performance counters to gather system metrics for reporting.
Filter/Exclusion: Exclude processes with the command line containing powershell.exe and specific script paths or arguments that are known to be part of legitimate monitoring or reporting tasks.
Scenario: A developer is using Visual Studio with the Windows Performance Toolkit to profile an application.
Filter/Exclusion: Exclude processes with the parent process being devenv.exe or include a condition that checks for the presence of known profiling tools or specific command-line arguments related to performance analysis.
Scenario: A system update or patching task uses Windows Update or Group Policy to modify performance counter settings.
Filter/Exclusion: Exclude processes with the command line or parent process related to wuauclt.exe, gpupdate.exe, or other known system update tools.
Scenario: A third-party monitoring tool like SolarWinds or Nagios is querying performance counters for real-time system health checks.
Filter/Exclusion: Exclude processes with known monitoring tool names (e.g., SolarWinds.exe, nagios.exe) or add a condition to ignore processes that match the IP ranges or domains of trusted monitoring services.