Skip to content

T1622 Debugger Evasion

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.5

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.

Specific checks will vary based on the target and/or adversary, but may involve Native API function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).236

Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW().41

Item Value
ID T1622
Sub-techniques
Tactics TA0005, TA0007
Platforms Linux, Windows, macOS
Version 1.0
Created 01 April 2022
Last Modified 16 April 2022

Procedure Examples

ID Name Description
S1070 Black Basta The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.7
S1039 Bumblebee Bumblebee can search for tools used in static analysis.14
S1066 DarkTortilla DarkTortilla can detect debuggers by using functions such as DebuggerIsAttached and DebuggerIsLogging. DarkTortilla can also detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active.15
S0694 DRATzarus DRATzarus can use IsDebuggerPresent to detect whether a debugger is present on a victim.8
S1060 Mafalda Mafalda can search for debugging tools on a compromised host.13
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used tools that used the IsDebuggerPresent call to detect debuggers.8
S0240 ROKRAT ROKRAT can check for debugging tools.10119
S1018 Saint Bot Saint Bot has used is_debugger_present as part of its environmental checks.12
S0595 ThiefQuest ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.4

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0009 Process OS API Execution

References

  1. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021. 

  2. hasherezade. (2021, June 30). Module 3 - Understanding and countering malware’s evasion and self-defence. Retrieved April 1, 2022. 

  3. Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022. 

  4. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. 

  5. ProcessHacker. (2009, October 27). Process Hacker. Retrieved April 11, 2022. 

  6. vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022. 

  7. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. 

  8. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  9. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  10. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  11. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. 

  12. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  13. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  14. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022. 

  15. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.