Potential Registry Persistence Attempt Via DbgManagedDebugger
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
Sigma rule (View on GitHub)
1title: Potential Registry Persistence Attempt Via DbgManagedDebugger
2id: 9827ae57-3802-418f-994b-d5ecf5cd974b
3status: experimental
4description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
5references:
6 - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
7 - https://github.com/last-byte/PersistenceSniper
8author: frack113
9date: 2022/08/07
10modified: 2023/08/17
11tags:
12 - attack.persistence
13 - attack.t1574
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
20 filter:
21 Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
22 condition: selection and not filter
23falsepositives:
24 - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
25level: medium
References
-
Last three articles about various startup/autostart methods covered a lot of different well- and less-known techniques for ‘staying alive’. Many of them are actively used by malware and ‘normal’ so...
Read More -
Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made w...
Read More
Related rules
- Files Dropped to Program Files by Non-Priviledged Process
- Suspicious Calc DLL Load
- Add Debugger Entry To AeDebug For Persistence
- Add Debugger Entry To Hangs Key For Persistence
- Bypass UAC Using Event Viewer