Detect Debugger Evasion in Elastic Security
This detection identifies adversary attempts to detect and evade debuggers during malware execution. Adversaries employ techniques including Windows API calls (IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess), manual inspection of the Process Environment Block (PEB) BeingDebugged flag, querying /proc/self/status for TracerPID on Linux, enumerating foreground window titles for known debugger strings, abusing Structured Exception Handling (SEH) to detect suspended execution, and flooding debug channels via OutputDebugStringW loops. Known malware families employing these techniques include Lumma Stealer, AsyncRAT, PlugX, StealBit, and StrelaStealer. Detection focuses on process command-line artifacts exposing debug API references, suspicious process access events with debug-level rights, Linux /proc/self/status reads, and behavioral signals such as non-system processes with very short lifespans that terminate after potential environment checks.
MITRE ATT&CK
- Tactic
- Defense Evasion Discovery
- Technique
- T1622 Debugger Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1622/
Elastic Detection Query
process where process.name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe") and (process.command_line : ("*IsDebuggerPresent*", "*CheckRemoteDebuggerPresent*", "*NtQueryInformationProcess*", "*OutputDebugString*", "*DebugActiveProcess*") or process.command_line : ("*RDTSC*", "*GetTickCount*", "*QueryPerformanceCounter*") and process.command_line : ("*sleep*", "*delay*", "*timing*"))Elastic EQL translation of the T1622 detection logic. Detects processes exhibiting debugger evasion behaviors via command-line analysis. Covers Win32 API debug checks (IsDebuggerPresent, CheckRemoteDebugg
Data Sources
Required Tables
False Positives & Tuning
- Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
- .NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
- Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
- Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
- Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns
Other platforms for T1622
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows IsDebuggerPresent Check via PowerShell P/Invoke
Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'IsDebuggerPresent' and 'DllImport'. Microsoft Defender for Endpoint DeviceProcessEvents entry with matching FileName and ProcessCommandLine fields.
- Test 2Windows NtQueryInformationProcess ProcessDebugPort Check via PowerShell
Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'NtQueryInformationProcess'. Windows Security EventCode=4688 may fire with truncated command line depending on audit policy. DeviceProcessEvents entry in Defender with full ProcessCommandLine.
- Test 3Linux TracerPID Debugger Check via /proc/self/status
Expected signal: Linux auditd syscall record for openat/open with file path '/proc/self/status' (if auditd watches /proc), or Sysmon for Linux EventCode=1 with CommandLine containing '/proc/self/status' and 'TracerPid'. Available in Syslog or linux_secure Splunk sourcetype.
- Test 4Windows Debugger Window Enumeration via PowerShell (Lumma Stealer Pattern)
Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'GetForegroundWindow' and debugger strings ('x32dbg', 'x64dbg', etc.). DeviceProcessEvents entry with matching ProcessCommandLine.
References (9)
- https://attack.mitre.org/techniques/T1622/
- https://github.com/processhacker/processhacker
- https://www.apriorit.com/dev-blog/784-anti-debugging-techniques-csharp
- https://github.com/LordNoteworthy/al-khaser
- https://www.cadosecurity.com/blog/p2pinfect-the-rusty-peer-to-peer-self-replicating-worm/
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat/
- https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike-of-cl0p/
- https://objective-see.org/blog/blog_0x59.html
- https://www.fortiguard.com/threat-signal-report/4703/strelastealer-infostealer-continues-targeting-european-countries
Unlock Pro Content
Get the full detection package for T1622 including response playbook, investigation guide, and atomic red team tests.