Debugger Evasion
This detection identifies adversary attempts to detect and evade debuggers during malware execution. Adversaries employ techniques including Windows API calls (IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess), manual inspection of the Process Environment Block (PEB) BeingDebugged flag, querying /proc/self/status for TracerPID on Linux, enumerating foreground window titles for known debugger strings, abusing Structured Exception Handling (SEH) to detect suspended execution, and flooding debug channels via OutputDebugStringW loops. Known malware families employing these techniques include Lumma Stealer, AsyncRAT, PlugX, StealBit, and StrelaStealer. Detection focuses on process command-line artifacts exposing debug API references, suspicious process access events with debug-level rights, Linux /proc/self/status reads, and behavioral signals such as non-system processes with very short lifespans that terminate after potential environment checks.
What is T1622 Debugger Evasion?
Debugger Evasion (T1622) maps to the Defense Evasion and Discovery tactics — the adversary is trying to avoid being detected in MITRE ATT&CK.
This page provides production-ready detection logic for Debugger Evasion, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Defense Evasion Discovery
- Technique
- T1622 Debugger Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1622/
let DebuggerWindowNames = dynamic(["x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity", "cheatengine", "processhacker", "x64_dbg"]);
let DebugApiTerms = dynamic(["IsDebuggerPresent", "CheckRemoteDebuggerPresent", "NtQueryInformationProcess", "BeingDebugged", "DebugActiveProcess", "OutputDebugStringW", "OutputDebugStringA"]);
let LegitParents = dynamic(["devenv.exe", "code.exe", "msbuild.exe", "dotnet.exe", "vstest.console.exe", "testhost.exe", "WerFault.exe", "rider64.exe", "clion64.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName !in~ (LegitParents)
| where InitiatingProcessFileName !in~ (LegitParents)
| where (
// Direct debugger API references in command line (scripted, injected, or reflective loading)
ProcessCommandLine has_any (DebugApiTerms)
or
// Debugger window name enumeration — Lumma Stealer / AsyncRAT pattern
(ProcessCommandLine has_any (DebuggerWindowNames) and ProcessCommandLine !contains "install" and FileName !in~ (DebuggerWindowNames))
or
// Linux /proc/self/status read for TracerPID field
(ProcessCommandLine has "/proc/self/status" and ProcessCommandLine has_any ("TracerPID", "cat ", "grep ", "awk ", "read "))
or
// .NET managed code debugger detection via PowerShell reflection
(ProcessCommandLine has_any ("Debugger.IsAttached", "Debugger.Launch", "[System.Diagnostics.Debugger]") and FileName in~ ("powershell.exe", "pwsh.exe"))
)
| extend RiskScore = case(
ProcessCommandLine has_any ("NtQueryInformationProcess", "BeingDebugged"), 90,
ProcessCommandLine has_any ("IsDebuggerPresent", "CheckRemoteDebuggerPresent"), 80,
ProcessCommandLine has_any ("Debugger.IsAttached", "Debugger.Launch"), 75,
ProcessCommandLine has_any (DebuggerWindowNames), 70,
ProcessCommandLine has "/proc/self/status", 65,
60
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath,
SHA256, ProcessId, InitiatingProcessId, RiskScore
| order by RiskScore desc, TimeGenerated descDetects processes exhibiting debugger evasion behaviors via command-line analysis. Covers Win32 API debug checks (IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess), debugger window name enumeration matching Lumma Stealer and AsyncRAT patterns, Linux /proc/self/status TracerPID reads, and .NET Debugger class usage via PowerShell reflection. A risk score is assigned by evasion method specificity.
Data Sources
Required Tables
False Positives
- Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
- .NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
- Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
- Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
- Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns
Sigma rule & cross-platform mapping
The detection logic for Debugger Evasion (T1622) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for T1622
References (9)
- https://attack.mitre.org/techniques/T1622/
- https://github.com/processhacker/processhacker
- https://www.apriorit.com/dev-blog/784-anti-debugging-techniques-csharp
- https://github.com/LordNoteworthy/al-khaser
- https://www.cadosecurity.com/blog/p2pinfect-the-rusty-peer-to-peer-self-replicating-worm/
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat/
- https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike-of-cl0p/
- https://objective-see.org/blog/blog_0x59.html
- https://www.fortiguard.com/threat-signal-report/4703/strelastealer-infostealer-continues-targeting-european-countries
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows IsDebuggerPresent Check via PowerShell P/Invoke
Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'IsDebuggerPresent' and 'DllImport'. Microsoft Defender for Endpoint DeviceProcessEvents entry with matching FileName and ProcessCommandLine fields.
- Test 2Windows NtQueryInformationProcess ProcessDebugPort Check via PowerShell
Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'NtQueryInformationProcess'. Windows Security EventCode=4688 may fire with truncated command line depending on audit policy. DeviceProcessEvents entry in Defender with full ProcessCommandLine.
- Test 3Linux TracerPID Debugger Check via /proc/self/status
Expected signal: Linux auditd syscall record for openat/open with file path '/proc/self/status' (if auditd watches /proc), or Sysmon for Linux EventCode=1 with CommandLine containing '/proc/self/status' and 'TracerPid'. Available in Syslog or linux_secure Splunk sourcetype.
- Test 4Windows Debugger Window Enumeration via PowerShell (Lumma Stealer Pattern)
Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'GetForegroundWindow' and debugger strings ('x32dbg', 'x64dbg', etc.). DeviceProcessEvents entry with matching ProcessCommandLine.
Unlock Pro Content
Get the full detection package for T1622 including response playbook, investigation guide, and atomic red team tests.