Potential Registry Persistence Attempt Via DbgManagedDebugger
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
Sigma rule (View on GitHub)
1title: Potential Registry Persistence Attempt Via DbgManagedDebugger
2id: 9827ae57-3802-418f-994b-d5ecf5cd974b
3status: test
4description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
5references:
6 - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
7 - https://github.com/last-byte/PersistenceSniper
8author: frack113
9date: 2022-08-07
10modified: 2023-08-17
11tags:
12 - attack.privilege-escalation
13 - attack.defense-evasion
14 - attack.persistence
15 - attack.t1574
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
22 filter:
23 Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
24 condition: selection and not filter
25falsepositives:
26 - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
27level: medium
References
-
Last three articles about various startup/autostart methods covered a lot of different well- and less-known techniques for ‘staying alive’. Many of them are actively used by malware and ‘normal’ so...
Read More -
Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made w...
Read More
Related rules
- DLL Execution Via Register-cimprovider.exe
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential Initial Access via DLL Search Order Hijacking
- Regsvr32 DLL Execution With Uncommon Extension
- Suspicious Printer Driver Empty Manufacturer