Potential Registry Persistence Attempt Via DbgManagedDebugger

Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes

Sigma rule (View on GitHub)

 1title: Potential Registry Persistence Attempt Via DbgManagedDebugger
 2id: 9827ae57-3802-418f-994b-d5ecf5cd974b
 3status: test
 4description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
 5references:
 6    - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
 7    - https://github.com/last-byte/PersistenceSniper
 8author: frack113
 9date: 2022/08/07
10modified: 2023/08/17
11tags:
12    - attack.persistence
13    - attack.t1574
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
20    filter:
21        Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
22    condition: selection and not filter
23falsepositives:
24    - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
25level: medium

References

Related rules

to-top