T1622 Debugger Evasion Mappings

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.

Specific checks will vary based on the target and/or adversary, but may involve Native API function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)

Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-03 Access Enforcement Protects T1622 Debugger Evasion
AC-04 Information Flow Enforcement Protects T1622 Debugger Evasion
CA-07 Continuous Monitoring Protects T1622 Debugger Evasion
CM-02 Baseline Configuration Protects T1622 Debugger Evasion
CM-06 Configuration Settings Protects T1622 Debugger Evasion
CM-07 Least Functionality Protects T1622 Debugger Evasion
CM-08 System Component Inventory Protects T1622 Debugger Evasion
SC-23 Session Authenticity Protects T1622 Debugger Evasion
SC-46 Cross Domain Policy Enforcement Protects T1622 Debugger Evasion
SC-07 Boundary Protection Protects T1622 Debugger Evasion
SC-08 Transmission Confidentiality and Integrity Protects T1622 Debugger Evasion
SI-10 Information Input Validation Protects T1622 Debugger Evasion
SI-15 Information Output Filtering Protects T1622 Debugger Evasion
SI-03 Malicious Code Protection Protects T1622 Debugger Evasion
SI-04 System Monitoring Protects T1622 Debugger Evasion