Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.[1]
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.
Specific checks will vary based on the target and/or adversary. On Windows, this may involve Native API function calls such as IsDebuggerPresent()
and NtQueryInformationProcess()
, or manually checking the BeingDebugged
flag of the Process Environment Block (PEB). On Linux, this may involve querying /proc/self/status
for the TracerPID
field, which indicates whether or not the process is being traced by dynamic analysis tools.[2][3] Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would "swallow" or handle the potential error).[4][5][6]
Malware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the program’s control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the program’s execution to continue.[7]
Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW()
.[8][9]
ID | Name | Description |
---|---|---|
S1087 | AsyncRAT |
AsyncRAT can use the |
S1070 | Black Basta |
The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.[11] |
S1039 | Bumblebee | |
S1111 | DarkGate |
DarkGate checks the |
S1066 | DarkTortilla |
DarkTortilla can detect debuggers by using functions such as |
S0694 | DRATzarus |
DRATzarus can use |
S1160 | Latrodectus |
Latrodectus has the ability to check for the presence of debuggers.[16] |
S1202 | LockBit 3.0 |
LockBit 3.0 can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis.[17] |
S1213 | Lumma Stealer |
Lumma Stealer has checked for debugger strings by invoking |
S1060 | Mafalda |
Mafalda can search for debugging tools on a compromised host.[19] |
C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group used tools that used the |
S1145 | Pikabot |
Pikabot features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors.[20][21][22] |
S1130 | Raspberry Robin |
Raspberry Robin leverages anti-debugging mechanisms through the use of |
S0240 | ROKRAT | |
S1018 | Saint Bot |
Saint Bot has used |
S1200 | StealBit |
StealBit can detect it is being run in the context of a debugger.[28] |
S1183 | StrelaStealer |
StrelaStealer variants include functionality to identify and evade debuggers.[29] |
S0595 | ThiefQuest |
ThiefQuest uses a function named |
S1207 | XLoader |
XLoader uses anti-debugging mechanisms such as calling |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Monitor debugger logs for signs of abnormal and potentially malicious activity. |
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required. |
DS0009 | Process | OS API Execution |
Monitor for API calls (such as |
Process Creation |
Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Debugger related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. |