Potential Registry Persistence Attempt Via DbgManagedDebugger
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
Sigma rule (View on GitHub)
1title: Potential Registry Persistence Attempt Via DbgManagedDebugger
2id: 9827ae57-3802-418f-994b-d5ecf5cd974b
3status: experimental
4description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
5references:
6 - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
7 - https://github.com/last-byte/PersistenceSniper
8author: frack113
9date: 2022/08/07
10modified: 2023/08/17
11tags:
12 - attack.persistence
13 - attack.t1574
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
20 filter:
21 Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
22 condition: selection and not filter
23falsepositives:
24 - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
25level: medium
References
Related rules
- Files Dropped to Program Files by Non-Priviledged Process
- Suspicious Calc DLL Load
- Add Debugger Entry To AeDebug For Persistence
- Add Debugger Entry To Hangs Key For Persistence
- Bypass UAC Using Event Viewer