LoFP / legitimate use of the key to setup a debugger. which is often the case on developers machines

Techniques

• t1574

Sample rules

Add Debugger Entry To AeDebug For Persistence

• source: sigma
• technicques:

Description

Detects when an attacker adds a new “Debugger” value to the “AeDebug” key in order to achieve persistence which will get invoked when an application crashes

Detection logic

condition: selection and not filter
filter:
  Details: '"C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld -j 0x%p'
selection:
  Details|endswith: .dll
  TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

Potential Registry Persistence Attempt Via DbgManagedDebugger

• source: sigma
• technicques:
  • t1574

Description

Detects the addition of the “Debugger” value to the “DbgManagedDebugger” key in order to achieve persistence. Which will get invoked when an application crashes

Detection logic

condition: selection and not filter
filter:
  Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL
    %d'
selection:
  TargetObject|endswith: \Microsoft\.NETFramework\DbgManagedDebugger