Potential Registry Persistence Attempt Via DbgManagedDebugger

Apr 28, 2026 · attack.privilege-escalation attack.persistence attack.execution attack.stealth attack.t1574 ·

Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes

Sigma rule (View on GitHub)

 1title: Potential Registry Persistence Attempt Via DbgManagedDebugger
 2id: 9827ae57-3802-418f-994b-d5ecf5cd974b
 3status: test
 4description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
 5references:
 6    - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
 7    - https://github.com/last-byte/PersistenceSniper
 8author: frack113
 9date: 2022-08-07
10modified: 2023-08-17
11tags:
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.execution
15    - attack.stealth
16    - attack.t1574
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
23    filter:
24        Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
25    condition: selection and not filter
26falsepositives:
27    - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
28level: medium

Potential Registry Persistence Attempt Via DbgManagedDebugger

Sigma rule (View on GitHub)

References

https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/

https://github.com/last-byte/PersistenceSniper

Related rules