T1622

Debugger Evasion
デバッガ回避

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.[1]

攻撃者は、デバッガを検出および回避するために、様々な手段を用いることができます。デバッガは通常、マルウェアの可能性のあるペイロードの実行を追跡および/または分析するために防衛側によって使用されます。

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.

デバッガ回避には、デバッグ環境を示す形跡をチェックした結果に基づいて、動作を変更することが含まれる場合があります。仮想化/サンドボックス回避と同様に、攻撃者がデバッガを検出した場合、離脱するようにマルウェアを変更したり、インプラントのコア機能を隠したりすることが考えられます。また、二次的または追加的なペイロードをドロップする前に、デバッガの形跡を探すこともあります。

Specific checks will vary based on the target and/or adversary, but may involve Native API function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would "swallow" or handle the potential error).[2][3][4]

具体的なチェック方法は、ターゲットや攻撃者によって異なりますが、IsDebuggerPresent() や NtQueryInformationProcess() などの Native API 関数呼び出し、またはプロセス環境ブロック (PEB) の BeingDebugged フラグの手動チェックが含まれることがあります。デバッガの形跡を確認するために、ハードウェアブレークポイント、割り込みアセンブリオペコード、時間チェック、または現在のプロセスで例外が発生した場合の計測を行うこともあります (デバッガが潜在的なエラーを「飲み込む」または処理することを想定)。([4]はリンク切れ)

Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW().[5][6]

攻撃者は、自動検出中にこれらのデバッガチェックから学んだ情報を使用して、その後の行動を策定することがあります。デバッガは、プロセスを切り離したり、OutputDebugStringW() などの Native API 関数呼び出しを繰り返し行うことで生成されるメッセージでデバッグログを無意味なデータで溢れさせることで回避することも可能です。([6]はDridex の解析記事。その中でOutputDebugStringW()を使ったデバッグログ出力の画像あり)

ID: T1622
Sub-techniques:  No sub-techniques
Platforms: Linux, Windows, macOS
Contributors: TruKno
Version: 1.0
Created: 01 April 2022
Last Modified: 16 April 2022

Procedure Examples

ID Name Description
S1039 Bumblebee

Bumblebee can search for tools used in static analysis.[7]

S0694 DRATzarus

DRATzarus can use IsDebuggerPresent to detect whether a debugger is present on a victim.[8]

S0240 ROKRAT

ROKRAT can check for debugging tools.[9][10][11]

S1018 Saint Bot

Saint Bot has used is_debugger_present as part of its environmental checks.[12]

S0595 ThiefQuest

ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.[5]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor debugger logs for signs of abnormal and potentially malicious activity.

DS0017 Command Command Execution

Monitor executed commands and arguments that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required.

DS0009 Process OS API Execution

Monitor for API calls (such as IsDebuggerPresent()) that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required.

    Process Creation

Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Debugger related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

References

  1. ProcessHacker. (2009, October 27). Process Hacker. Retrieved April 11, 2022.
  2. hasherezade. (2021, June 30). Module 3 - Understanding and countering malware's evasion and self-defence. Retrieved April 1, 2022.
  3. Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022.
  4. vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022.
  5. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  6. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  1. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  2. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  3. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  4. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  5. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  6. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.

連絡先:@amj_trans

 

MITRE ATT&CK 日本語化プロジェクト