T1622 Debugger Evasion Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let DebuggerWindowNames = dynamic(["x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity", "cheatengine", "processhacker", "x64_dbg"]);
let DebugApiTerms = dynamic(["IsDebuggerPresent", "CheckRemoteDebuggerPresent", "NtQueryInformationProcess", "BeingDebugged", "DebugActiveProcess", "OutputDebugStringW", "OutputDebugStringA"]);
let LegitParents = dynamic(["devenv.exe", "code.exe", "msbuild.exe", "dotnet.exe", "vstest.console.exe", "testhost.exe", "WerFault.exe", "rider64.exe", "clion64.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName !in~ (LegitParents)
| where InitiatingProcessFileName !in~ (LegitParents)
| where (
    // Direct debugger API references in command line (scripted, injected, or reflective loading)
    ProcessCommandLine has_any (DebugApiTerms)
    or
    // Debugger window name enumeration — Lumma Stealer / AsyncRAT pattern
    (ProcessCommandLine has_any (DebuggerWindowNames) and ProcessCommandLine !contains "install" and FileName !in~ (DebuggerWindowNames))
    or
    // Linux /proc/self/status read for TracerPID field
    (ProcessCommandLine has "/proc/self/status" and ProcessCommandLine has_any ("TracerPID", "cat ", "grep ", "awk ", "read "))
    or
    // .NET managed code debugger detection via PowerShell reflection
    (ProcessCommandLine has_any ("Debugger.IsAttached", "Debugger.Launch", "[System.Diagnostics.Debugger]") and FileName in~ ("powershell.exe", "pwsh.exe"))
)
| extend RiskScore = case(
    ProcessCommandLine has_any ("NtQueryInformationProcess", "BeingDebugged"), 90,
    ProcessCommandLine has_any ("IsDebuggerPresent", "CheckRemoteDebuggerPresent"), 80,
    ProcessCommandLine has_any ("Debugger.IsAttached", "Debugger.Launch"), 75,
    ProcessCommandLine has_any (DebuggerWindowNames), 70,
    ProcessCommandLine has "/proc/self/status", 65,
    60
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath,
         SHA256, ProcessId, InitiatingProcessId, RiskScore
| order by RiskScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
.NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns

Splunk

spl

index=windows (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
| search (EventCode=1 OR EventCode=4688)
| eval process_image=coalesce(Image, NewProcessName)
| eval cmdline=coalesce(CommandLine, ProcessCommandLine)
| eval parent_image=coalesce(ParentImage, ParentProcessName)
| where NOT match(process_image, "(?i)(devenv\.exe|code\.exe|msbuild\.exe|dotnet\.exe|vstest\.console\.exe|testhost\.exe|WerFault\.exe|rider64\.exe)")
| eval debugger_api_hit=if(match(cmdline, "(?i)(IsDebuggerPresent|CheckRemoteDebuggerPresent|NtQueryInformationProcess|BeingDebugged|OutputDebugStringW|OutputDebugStringA|DebugActiveProcess)"), 1, 0)
| eval debugger_window_hit=if(match(cmdline, "(?i)(x32dbg|x64dbg|windbg|ollydbg|dnspy|cheatengine|processhacker|immunity debugger)"), 1, 0)
| eval proc_status_hit=if(match(cmdline, "(?i)(/proc/self/status|TracerPID)"), 1, 0)
| eval dotnet_debug_hit=if(match(cmdline, "(?i)(Debugger\.IsAttached|Debugger\.Launch|\[System\.Diagnostics\.Debugger\])"), 1, 0)
| eval evasion_score=case(
    debugger_api_hit=1 AND match(cmdline, "(?i)(NtQueryInformationProcess|BeingDebugged)"), 90,
    debugger_api_hit=1, 80,
    dotnet_debug_hit=1, 75,
    debugger_window_hit=1, 70,
    proc_status_hit=1, 65,
    true(), 0
)
| where evasion_score > 0
| eval evasion_type=case(
    match(cmdline, "(?i)(NtQueryInformationProcess|BeingDebugged)"), "Native API Debug Check",
    debugger_api_hit=1, "Win32 Debugger API Check",
    dotnet_debug_hit=1, ".NET Debugger Detection",
    debugger_window_hit=1, "Debugger Window Enumeration",
    proc_status_hit=1, "Linux /proc TracerPID Check",
    true(), "Unknown"
)
| eval hostname=coalesce(Computer, host)
| table _time hostname process_image cmdline parent_image evasion_type evasion_score EventCode
| sort - evasion_score _time

high severity medium confidence

Data Sources

Sysmon Windows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Developer IDE toolchains (Visual Studio, Rider, CLion) and associated build runners that invoke debugger presence checks as part of compilation or unit test execution pipelines
Game anti-cheat modules (EAC, BattlEye, Vanguard) that enumerate known debugger and memory editing tool window titles to enforce anti-cheat policies
Commercial software protection products (Themida, ENIGMA Protector) wrapping legitimately licensed applications with anti-analysis routines
Authorized red team operations and penetration testing engagements where analysts are intentionally simulating malware debugger evasion behavior

Elastic Security (EQL)

eql

process where process.name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe") and (process.command_line : ("*IsDebuggerPresent*", "*CheckRemoteDebuggerPresent*", "*NtQueryInformationProcess*", "*OutputDebugString*", "*DebugActiveProcess*") or process.command_line : ("*RDTSC*", "*GetTickCount*", "*QueryPerformanceCounter*") and process.command_line : ("*sleep*", "*delay*", "*timing*"))

high severity medium confidence

Data Sources

Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
.NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%IsDebuggerPresent%' OR "CommandLine" ILIKE '%CheckRemoteDebuggerPresent%' THEN 80 WHEN "CommandLine" ILIKE '%NtQueryInformationProcess%' AND "CommandLine" ILIKE '%ProcessDebugPort%' THEN 85 WHEN "CommandLine" ILIKE '%OutputDebugString%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%IsDebuggerPresent%' OR "CommandLine" ILIKE '%CheckRemoteDebuggerPresent%' OR "CommandLine" ILIKE '%NtQueryInformationProcess%' OR "CommandLine" ILIKE '%OutputDebugString%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log

Required Tables

events

False Positives

Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
.NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows | json auto | where command_line matches "*IsDebuggerPresent*" or command_line matches "*CheckRemoteDebuggerPresent*" or command_line matches "*NtQueryInformationProcess*" or command_line matches "*OutputDebugString*" | if(matches(command_line, "*NtQueryInformationProcess*ProcessDebugPort*"), "High", if(matches(command_line, "*IsDebuggerPresent*") or matches(command_line, "*CheckRemoteDebuggerPresent*"), "High", "Medium")) as RiskLevel | stats count by user_name, process_name, host_name, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Windows Endpoint Events

Required Tables

endpoint/windows

False Positives

Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
.NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns

Google Chronicle / SecOps

yaral

rule detect_debugger_evasion {
  meta:
    author = "Argus"
    description = "Detects debugger evasion behaviors via Win32 API and timing checks"
    severity = "HIGH"
    technique = "T1622"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `IsDebuggerPresent|CheckRemoteDebuggerPresent|NtQueryInformationProcess|OutputDebugString|DebugActiveProcess`) nocase
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
.NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| CommandHistory = /IsDebuggerPresent|CheckRemoteDebuggerPresent|NtQueryInformationProcess|OutputDebugString|DebugActiveProcess/i
| case {
    CommandHistory = /NtQueryInformationProcess.*ProcessDebugPort/i | EvasionType := "Kernel Debug Check";
    CommandHistory = /CheckRemoteDebuggerPresent/i | EvasionType := "Remote Debugger Check";
    CommandHistory = /IsDebuggerPresent/i | EvasionType := "IsDebuggerPresent Check";
    CommandHistory = /OutputDebugString/i | EvasionType := "Debug String Anti-Analysis";
    * | EvasionType := "Debug Evasion"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, EvasionType])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
.NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns

Debugger Evasion

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections