Add Debugger Entry To AeDebug For Persistence
Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
Sigma rule (View on GitHub)
1title: Add Debugger Entry To AeDebug For Persistence
2id: 092af964-4233-4373-b4ba-d86ea2890288
3status: test
4description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
5references:
6 - https://persistence-info.github.io/Data/aedebug.html
7 - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-07-21
10modified: 2023-08-17
11tags:
12 - attack.persistence
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger'
19 Details|endswith: '.dll'
20 filter:
21 Details: '"C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld -j 0x%p'
22 condition: selection and not filter
23falsepositives:
24 - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
25level: medium
References
-
Users can configure automatic debugging to help them determine why their system or an application has stopped responding.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint