Description
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.
Specific checks will vary based on the target and/or adversary. On Windows, this may involve Native API function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). On Linux, this may involve querying /proc/self/status for the TracerPID field, which indicates whether or not the process is being traced by dynamic analysis tools.(Citation: Cado Security P2PInfect 2023)(Citation: Positive Technologies Hellhounds 2023) Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
Malware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the program’s control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the program’s execution to continue.(Citation: Apriorit)
Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has embedded debug strings with messages to distract analysts.(Citation: 2022 November_TrendMic... |
Associated Software (24)
| ID | Name | Type | Context |
|---|---|---|---|
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has checked for debugger strings by invoking `GetForegroundWindow` and looks for strings cont... |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) can use the `CheckRemoteDebuggerPresent` function to detect the presence of a debugger.(Citation: ... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger.(Citati... |
| S1200 | StealBit | Malware | [StealBit](https://attack.mitre.org/software/S1200) can detect it is being run in the context of a debugger.(Citation: Cybereason StealBit Exfiltratio... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) variants include functionality to identify and evade debuggers.(Citation: Fortgale StrelaStea... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) checks the <code>BeingDebugged</code> flag in the PEB structure during execution to identify if th... |
| S1145 | Pikabot | Malware | [Pikabot](https://attack.mitre.org/software/S1145) features several methods to evade debugging by analysts, including checks for active debuggers, the... |
| S0240 | ROKRAT | Malware | [ROKRAT](https://attack.mitre.org/software/S0240) can check for debugging tools.(Citation: Talos Group123)(Citation: NCCGroup RokRat Nov 2018)(Citatio... |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has embedded debug strings with messages to distract analysts.(Citation: Cisco Talos MUSTANG PANDA ... |
| S0694 | DRATzarus | Malware | [DRATzarus](https://attack.mitre.org/software/S0694) can use `IsDebuggerPresent` to detect whether a debugger is present on a victim.(Citation: ClearS... |
| S1070 | Black Basta | Malware | The [Black Basta](https://attack.mitre.org/software/S1070) dropper can check system flags, CPU registers, CPU instructions, process timing, system lib... |
| S9019 | PureCrypter | Malware | [PureCrypter](https://attack.mitre.org/software/S9019) has the ability to call `CheckRemoteDebuggerPresent`.(Citation: Zscaler PureCrypter JUN 2022) |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) has used `is_debugger_present` as part of its environmental checks.(Citation: Malwarebytes Saint ... |
| S9037 | RustyWater | Malware | [RustyWater](https://attack.mitre.org/software/S9037) has registered a Vectored Exception Handler (VEH) to catch debugging efforts.(Citation: CloudSEK... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) uses anti-debugging mechanisms such as calling `NtQueryInformationProcess` with `InfoClass=7`, refe... |
| S9027 | ANELLDR | Malware | [ANELLDR](https://attack.mitre.org/software/S9027) can call `ZwSetInformationThread` with the second argument set to `ThreadHideFromDebugger (0x11)` t... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) leverages anti-debugging mechanisms through the use of <code>ThreadHideFromDebugger</code>.... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has leveraged custom exception handlers to hide code flow and stop execution of a debugger.(Citat... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can check heap memory parameters for indications of a debugger and stop the flow of events to t... |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) can detect debuggers by using functions such as `DebuggerIsAttached` and `DebuggerIsLogging`. ... |
References
- Apriorit. (2024, June 4). Anti Debugging Protection Techniques with Examples. Retrieved March 4, 2025.
- Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
- hasherezade. (2021, June 30). Module 3 - Understanding and countering malware's evasion and self-defence. Retrieved April 1, 2022.
- jbowen. (2023, December 4). P2Pinfect - New Variant Targets MIPS Devices. Retrieved March 18, 2025.
- Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022.
- Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
- ProcessHacker. (2009, October 27). Process Hacker. Retrieved April 11, 2022.
- PT Expert Security Center. (2023, November 29). Hellhounds: operation Lahat. Retrieved March 18, 2025.
- vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022.
Frequently Asked Questions
What is T1622 (Debugger Evasion)?
T1622 is a MITRE ATT&CK technique named 'Debugger Evasion'. It belongs to the Stealth, Discovery tactic(s). Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHack...
How can T1622 be detected?
Detection of T1622 (Debugger Evasion) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1622?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1622?
Known threat groups using T1622 include: Mustang Panda.