T1622 Microsoft Sentinel · KQL

Detect Debugger Evasion in Microsoft Sentinel

This detection identifies adversary attempts to detect and evade debuggers during malware execution. Adversaries employ techniques including Windows API calls (IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess), manual inspection of the Process Environment Block (PEB) BeingDebugged flag, querying /proc/self/status for TracerPID on Linux, enumerating foreground window titles for known debugger strings, abusing Structured Exception Handling (SEH) to detect suspended execution, and flooding debug channels via OutputDebugStringW loops. Known malware families employing these techniques include Lumma Stealer, AsyncRAT, PlugX, StealBit, and StrelaStealer. Detection focuses on process command-line artifacts exposing debug API references, suspicious process access events with debug-level rights, Linux /proc/self/status reads, and behavioral signals such as non-system processes with very short lifespans that terminate after potential environment checks.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1622 Debugger Evasion
Canonical reference
https://attack.mitre.org/techniques/T1622/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let DebuggerWindowNames = dynamic(["x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity", "cheatengine", "processhacker", "x64_dbg"]);
let DebugApiTerms = dynamic(["IsDebuggerPresent", "CheckRemoteDebuggerPresent", "NtQueryInformationProcess", "BeingDebugged", "DebugActiveProcess", "OutputDebugStringW", "OutputDebugStringA"]);
let LegitParents = dynamic(["devenv.exe", "code.exe", "msbuild.exe", "dotnet.exe", "vstest.console.exe", "testhost.exe", "WerFault.exe", "rider64.exe", "clion64.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName !in~ (LegitParents)
| where InitiatingProcessFileName !in~ (LegitParents)
| where (
    // Direct debugger API references in command line (scripted, injected, or reflective loading)
    ProcessCommandLine has_any (DebugApiTerms)
    or
    // Debugger window name enumeration — Lumma Stealer / AsyncRAT pattern
    (ProcessCommandLine has_any (DebuggerWindowNames) and ProcessCommandLine !contains "install" and FileName !in~ (DebuggerWindowNames))
    or
    // Linux /proc/self/status read for TracerPID field
    (ProcessCommandLine has "/proc/self/status" and ProcessCommandLine has_any ("TracerPID", "cat ", "grep ", "awk ", "read "))
    or
    // .NET managed code debugger detection via PowerShell reflection
    (ProcessCommandLine has_any ("Debugger.IsAttached", "Debugger.Launch", "[System.Diagnostics.Debugger]") and FileName in~ ("powershell.exe", "pwsh.exe"))
)
| extend RiskScore = case(
    ProcessCommandLine has_any ("NtQueryInformationProcess", "BeingDebugged"), 90,
    ProcessCommandLine has_any ("IsDebuggerPresent", "CheckRemoteDebuggerPresent"), 80,
    ProcessCommandLine has_any ("Debugger.IsAttached", "Debugger.Launch"), 75,
    ProcessCommandLine has_any (DebuggerWindowNames), 70,
    ProcessCommandLine has "/proc/self/status", 65,
    60
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath,
         SHA256, ProcessId, InitiatingProcessId, RiskScore
| order by RiskScore desc, TimeGenerated desc
high severity medium confidence

Detects processes exhibiting debugger evasion behaviors via command-line analysis. Covers Win32 API debug checks (IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess), debugger window name enumeration matching Lumma Stealer and AsyncRAT patterns, Linux /proc/self/status TracerPID reads, and .NET Debugger class usage via PowerShell reflection. A risk score is assigned by evasion method specificity.

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
  • .NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
  • Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
  • Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
  • Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns
Download portable Sigma rule (.yml)

Other platforms for T1622

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows IsDebuggerPresent Check via PowerShell P/Invoke

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'IsDebuggerPresent' and 'DllImport'. Microsoft Defender for Endpoint DeviceProcessEvents entry with matching FileName and ProcessCommandLine fields.

  2. Test 2Windows NtQueryInformationProcess ProcessDebugPort Check via PowerShell

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'NtQueryInformationProcess'. Windows Security EventCode=4688 may fire with truncated command line depending on audit policy. DeviceProcessEvents entry in Defender with full ProcessCommandLine.

  3. Test 3Linux TracerPID Debugger Check via /proc/self/status

    Expected signal: Linux auditd syscall record for openat/open with file path '/proc/self/status' (if auditd watches /proc), or Sysmon for Linux EventCode=1 with CommandLine containing '/proc/self/status' and 'TracerPid'. Available in Syslog or linux_secure Splunk sourcetype.

  4. Test 4Windows Debugger Window Enumeration via PowerShell (Lumma Stealer Pattern)

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'GetForegroundWindow' and debugger strings ('x32dbg', 'x64dbg', etc.). DeviceProcessEvents entry with matching ProcessCommandLine.

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1622 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1497Virtualization/Sandbox EvasionT1106Native APIT1027.009Embedded PayloadsT1055.011Extra Window Memory InjectionT1083File and Directory Discovery

Same Tactic: Defense Evasion

Popular Detections