Convert indexed Sigma rules into analyst-ready detections.

title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
related:
    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
      type: similar
    - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
      type: similar
status: experimental
description: |
    Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection.
    However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity.
    When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load.
    Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts.
    Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
references:
    - https://github.com/TwoSevenOneT/EDR-Freeze
    - https://blog.axelarator.net/hunting-for-edr-freeze/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
    - attack.defense-evasion
    - attack.t1562.001
    - detection.threat-hunting
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\WerFaultSecure.exe'
        ImageLoaded|endswith:
            - '\dbgcore.dll'
            - '\dbghelp.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml