T1622 Splunk · SPL

Detect Debugger Evasion in Splunk

This detection identifies adversary attempts to detect and evade debuggers during malware execution. Adversaries employ techniques including Windows API calls (IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess), manual inspection of the Process Environment Block (PEB) BeingDebugged flag, querying /proc/self/status for TracerPID on Linux, enumerating foreground window titles for known debugger strings, abusing Structured Exception Handling (SEH) to detect suspended execution, and flooding debug channels via OutputDebugStringW loops. Known malware families employing these techniques include Lumma Stealer, AsyncRAT, PlugX, StealBit, and StrelaStealer. Detection focuses on process command-line artifacts exposing debug API references, suspicious process access events with debug-level rights, Linux /proc/self/status reads, and behavioral signals such as non-system processes with very short lifespans that terminate after potential environment checks.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1622 Debugger Evasion
Canonical reference
https://attack.mitre.org/techniques/T1622/

SPL Detection Query

Splunk (SPL)
spl 
index=windows (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
| search (EventCode=1 OR EventCode=4688)
| eval process_image=coalesce(Image, NewProcessName)
| eval cmdline=coalesce(CommandLine, ProcessCommandLine)
| eval parent_image=coalesce(ParentImage, ParentProcessName)
| where NOT match(process_image, "(?i)(devenv\.exe|code\.exe|msbuild\.exe|dotnet\.exe|vstest\.console\.exe|testhost\.exe|WerFault\.exe|rider64\.exe)")
| eval debugger_api_hit=if(match(cmdline, "(?i)(IsDebuggerPresent|CheckRemoteDebuggerPresent|NtQueryInformationProcess|BeingDebugged|OutputDebugStringW|OutputDebugStringA|DebugActiveProcess)"), 1, 0)
| eval debugger_window_hit=if(match(cmdline, "(?i)(x32dbg|x64dbg|windbg|ollydbg|dnspy|cheatengine|processhacker|immunity debugger)"), 1, 0)
| eval proc_status_hit=if(match(cmdline, "(?i)(/proc/self/status|TracerPID)"), 1, 0)
| eval dotnet_debug_hit=if(match(cmdline, "(?i)(Debugger\.IsAttached|Debugger\.Launch|\[System\.Diagnostics\.Debugger\])"), 1, 0)
| eval evasion_score=case(
    debugger_api_hit=1 AND match(cmdline, "(?i)(NtQueryInformationProcess|BeingDebugged)"), 90,
    debugger_api_hit=1, 80,
    dotnet_debug_hit=1, 75,
    debugger_window_hit=1, 70,
    proc_status_hit=1, 65,
    true(), 0
)
| where evasion_score > 0
| eval evasion_type=case(
    match(cmdline, "(?i)(NtQueryInformationProcess|BeingDebugged)"), "Native API Debug Check",
    debugger_api_hit=1, "Win32 Debugger API Check",
    dotnet_debug_hit=1, ".NET Debugger Detection",
    debugger_window_hit=1, "Debugger Window Enumeration",
    proc_status_hit=1, "Linux /proc TracerPID Check",
    true(), "Unknown"
)
| eval hostname=coalesce(Computer, host)
| table _time hostname process_image cmdline parent_image evasion_type evasion_score EventCode
| sort - evasion_score _time
high severity medium confidence

Detects debugger evasion attempts by analyzing Sysmon EventCode=1 (process creation) and Windows Security EventCode=4688 command-line fields. Scores each event by evasion technique specificity across five categories: native API debug checks (NtQueryInformationProcess/BeingDebugged), Win32 API debug checks (IsDebuggerPresent/CheckRemoteDebuggerPresent), .NET Debugger class detection, debugger window enumeration, and Linux /proc/self/status TracerPID reads.

Data Sources

SysmonWindows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Developer IDE toolchains (Visual Studio, Rider, CLion) and associated build runners that invoke debugger presence checks as part of compilation or unit test execution pipelines
  • Game anti-cheat modules (EAC, BattlEye, Vanguard) that enumerate known debugger and memory editing tool window titles to enforce anti-cheat policies
  • Commercial software protection products (Themida, ENIGMA Protector) wrapping legitimately licensed applications with anti-analysis routines
  • Authorized red team operations and penetration testing engagements where analysts are intentionally simulating malware debugger evasion behavior
Download portable Sigma rule (.yml)

Other platforms for T1622

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows IsDebuggerPresent Check via PowerShell P/Invoke

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'IsDebuggerPresent' and 'DllImport'. Microsoft Defender for Endpoint DeviceProcessEvents entry with matching FileName and ProcessCommandLine fields.

  2. Test 2Windows NtQueryInformationProcess ProcessDebugPort Check via PowerShell

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'NtQueryInformationProcess'. Windows Security EventCode=4688 may fire with truncated command line depending on audit policy. DeviceProcessEvents entry in Defender with full ProcessCommandLine.

  3. Test 3Linux TracerPID Debugger Check via /proc/self/status

    Expected signal: Linux auditd syscall record for openat/open with file path '/proc/self/status' (if auditd watches /proc), or Sysmon for Linux EventCode=1 with CommandLine containing '/proc/self/status' and 'TracerPid'. Available in Syslog or linux_secure Splunk sourcetype.

  4. Test 4Windows Debugger Window Enumeration via PowerShell (Lumma Stealer Pattern)

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'GetForegroundWindow' and debugger strings ('x32dbg', 'x64dbg', etc.). DeviceProcessEvents entry with matching ProcessCommandLine.

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1622 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1497Virtualization/Sandbox EvasionT1106Native APIT1027.009Embedded PayloadsT1055.011Extra Window Memory InjectionT1083File and Directory Discovery

Same Tactic: Defense Evasion

Popular Detections