T1622 Sumo Logic CSE · Sumo

Detect Debugger Evasion in Sumo Logic CSE

This detection identifies adversary attempts to detect and evade debuggers during malware execution. Adversaries employ techniques including Windows API calls (IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess), manual inspection of the Process Environment Block (PEB) BeingDebugged flag, querying /proc/self/status for TracerPID on Linux, enumerating foreground window titles for known debugger strings, abusing Structured Exception Handling (SEH) to detect suspended execution, and flooding debug channels via OutputDebugStringW loops. Known malware families employing these techniques include Lumma Stealer, AsyncRAT, PlugX, StealBit, and StrelaStealer. Detection focuses on process command-line artifacts exposing debug API references, suspicious process access events with debug-level rights, Linux /proc/self/status reads, and behavioral signals such as non-system processes with very short lifespans that terminate after potential environment checks.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1622 Debugger Evasion
Canonical reference
https://attack.mitre.org/techniques/T1622/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=endpoint/windows | json auto | where command_line matches "*IsDebuggerPresent*" or command_line matches "*CheckRemoteDebuggerPresent*" or command_line matches "*NtQueryInformationProcess*" or command_line matches "*OutputDebugString*" | if(matches(command_line, "*NtQueryInformationProcess*ProcessDebugPort*"), "High", if(matches(command_line, "*IsDebuggerPresent*") or matches(command_line, "*CheckRemoteDebuggerPresent*"), "High", "Medium")) as RiskLevel | stats count by user_name, process_name, host_name, RiskLevel | sort by count desc
high severity medium confidence

Sumo Logic query for T1622 detection using source category filters and aggregation. Detects processes exhibiting debugger evasion behaviors via command-line analysis. Covers Win32 API

Data Sources

Windows Endpoint Events

Required Tables

endpoint/windows

False Positives & Tuning

  • Legitimate developer toolchains and IDEs (Visual Studio, VS Code, JetBrains Rider, CLion) that call debugger presence checks internally during build and test pipelines
  • .NET and Java applications using Debugger.IsAttached or equivalent to conditionally emit verbose diagnostic logging in development builds deployed to test environments
  • Game anti-cheat modules (Easy Anti-Cheat, BattlEye, Vanguard) that legitimately enumerate debugger and memory editor window titles to enforce fair play policies
  • Commercial software protection wrappers (Themida, VMProtect, ENIGMA Protector) that check for analysis environments as part of legitimate copy protection enforcement
  • Security testing frameworks and red team tools running in authorized engagements where analysts are intentionally testing these API call patterns
Download portable Sigma rule (.yml)

Other platforms for T1622

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows IsDebuggerPresent Check via PowerShell P/Invoke

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'IsDebuggerPresent' and 'DllImport'. Microsoft Defender for Endpoint DeviceProcessEvents entry with matching FileName and ProcessCommandLine fields.

  2. Test 2Windows NtQueryInformationProcess ProcessDebugPort Check via PowerShell

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'NtQueryInformationProcess'. Windows Security EventCode=4688 may fire with truncated command line depending on audit policy. DeviceProcessEvents entry in Defender with full ProcessCommandLine.

  3. Test 3Linux TracerPID Debugger Check via /proc/self/status

    Expected signal: Linux auditd syscall record for openat/open with file path '/proc/self/status' (if auditd watches /proc), or Sysmon for Linux EventCode=1 with CommandLine containing '/proc/self/status' and 'TracerPid'. Available in Syslog or linux_secure Splunk sourcetype.

  4. Test 4Windows Debugger Window Enumeration via PowerShell (Lumma Stealer Pattern)

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'GetForegroundWindow' and debugger strings ('x32dbg', 'x64dbg', etc.). DeviceProcessEvents entry with matching ProcessCommandLine.

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1622 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1497Virtualization/Sandbox EvasionT1106Native APIT1027.009Embedded PayloadsT1055.011Extra Window Memory InjectionT1083File and Directory Discovery

Same Tactic: Defense Evasion

Popular Detections