The DebuggerTiming__Ticks rule detects potential adversary use of timing-based debugger techniques to evade detection by measuring system tick intervals. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify advanced persistent threats that leverage low-level system interactions to mask their activities.
YARA Rule
rule DebuggerTiming__Ticks : AntiDebug DebuggerTiming {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="GetTickCount"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using WinDbg to debug a kernel crash dump during routine maintenance.
Filter/Exclusion: process.name != "win dbg.exe" or process.name != "dbg.exe"
Scenario: A scheduled job runs Process Monitor (ProcMon) to monitor file system activity during a backup operation.
Filter/Exclusion: process.name != "procmon.exe" or process.name != "procmon64.exe"
Scenario: A developer is using Visual Studio with the debugger attached to a local application for code testing.
Filter/Exclusion: process.name != "devenv.exe" or process.name != "vsdebugger.exe"
Scenario: A security tool like Sysmon is configured to log process creation events, which may trigger the rule due to its internal debugging mechanisms.
Filter/Exclusion: process.name != "sysmon64.exe" or process.name != "sysmon.exe"
Scenario: A system update or patching task uses PsExec to run a script with elevated privileges, which may be flagged due to timing anomalies.
Filter/Exclusion: process.name != "psexec.exe" or process.name != "psexec64.exe"