Detection rules › Sigma
Potential Registry Persistence Attempt Via DbgManagedDebugger
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1574 Hijack Execution Flow |
| Privilege Escalation | T1574 Hijack Execution Flow |
| Defense Evasion | T1574 Hijack Execution Flow |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: selection
TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
Stage 2: not filter
Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Details | eq |
|
TargetObject | ends_with |
|