The DebuggerCheck RemoteAPI rule detects potential adversary use of remote debugging APIs to bypass security controls and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts that evade traditional detection mechanisms.
YARA Rule
rule DebuggerCheck__RemoteAPI : AntiDebug DebuggerCheck {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ ="CheckRemoteDebuggerPresent"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Process Explorer to debug a remote API call for troubleshooting a service issue.
Filter/Exclusion: Exclude processes where the parent process is explorer.exe or taskmgr.exe and the command line contains Process Explorer or procexp.
Scenario: A scheduled job runs a PowerShell script that uses Invoke-RestMethod to interact with a remote API as part of a regular data sync task.
Filter/Exclusion: Exclude processes where the command line contains powershell.exe and the script path includes SyncJob.ps1 or DataSync.ps1.
Scenario: A developer is using Visual Studio to debug a local application that makes a remote API call during development.
Filter/Exclusion: Exclude processes where the parent process is devenv.exe and the command line contains Visual Studio or Debug.
Scenario: A security tool like Sysmon is configured to monitor API calls and generates a log entry that triggers the rule.
Filter/Exclusion: Exclude events where the process name is Sysmon64.exe or sysmon.exe and the event ID corresponds to a known Sysmon log entry.
Scenario: A remote management tool like Microsoft Endpoint Manager or Intune is making a remote API call to configure devices.
Filter/Exclusion: Exclude processes where the parent process is msiexec.exe or setup.exe and the command line includes Intune, MDM, or Microsoft Endpoint Manager.