From 18388cd63d1da9da9e04544606e3ac5bba58bb15 Mon Sep 17 00:00:00 2001
From: NeuralGlitch <107919127+NagaSivaGunturu@users.noreply.github.com>
Date: Wed, 24 Apr 2024 06:14:00 +0530
Subject: [PATCH] Create T1622.yaml (#2752)

Created a new folder T1622 and an yaml file for new atomic test

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1622/T1622.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 atomics/T1622/T1622.yaml

diff --git a/atomics/T1622/T1622.yaml b/atomics/T1622/T1622.yaml
new file mode 100644
index 00000000..e2258689
--- /dev/null
+++ b/atomics/T1622/T1622.yaml
@@ -0,0 +1,15 @@
+attack_technique: T1622
+display_name: Debugger Evasion
+atomic_tests:
+- name: Detect a Debugger Presence in the Machine
+  description: Detecting a running debugger process or if the debugger is attached to a process via PowerShell
+  supported_platforms:
+  - windows 
+  executor:
+    command: |-
+      # Check for common debugger processes
+      $debuggerProcesses = Get-Process | Where-Object { $_.ProcessName -match "dbg" -or $_.ProcessName -match "debug" }
+      # Check for debugging flags
+      $debuggingFlags = [System.Diagnostics.Debugger]::IsAttached 
+    name: powershell
+    elevation_required: true