Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process

Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Perez Diego, oscd.community, EccoCreated Sun Oct 27Updated Fri Mar 010e277796-5f23-4e49-a490-483131d4f6e1windows
Hunting Hypothesis
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic4 selectors
detection:
    selection:
        ImageLoaded|endswith:
            - '\dbghelp.dll'
            - '\dbgcore.dll'
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\dnx.exe'
            - '\excel.exe'
            - '\monitoringhost.exe'
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\regsvcs.exe'
            - '\rundll32.exe'
            - '\sc.exe'
            - '\scriptrunner.exe'
            - '\winword.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            # - '\powershell.exe' # Note: Triggered by installing common software
            # - '\regsvr32.exe'  # Note: triggered by installing common software
            # - '\schtasks.exe'  # Note: triggered by installing software
            # - '\svchost.exe'  # Note: triggered by some services
    filter_main_tiworker:
        # Note: This filter requires "CommandLine" field enrichment
        CommandLine|startswith: 'C:\WINDOWS\WinSxS\'
        CommandLine|endswith: '\TiWorker.exe -Embedding'
    filter_main_generic:
        # Note: This filter requires "CommandLine" field enrichment
        Image|endswith: '\svchost.exe'
        CommandLine|endswith:
            - '-k LocalServiceNetworkRestricted'
            - '-k WerSvcGroup'
    filter_main_rundll32:
        # Note: This filter requires "CommandLine" field enrichment
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - '/d srrstr.dll,ExecuteScheduledSPPCreation'
            - 'aepdu.dll,AePduRunUpdate'
            - 'shell32.dll,OpenAs_RunDL'
            - 'Windows.Storage.ApplicationData.dll,CleanupTemporaryState'
    condition: selection and not 1 of filter_main_*
False Positives

Debugging scripts might leverage this DLL in order to dump process memory for further analysis.

References
1
Resolving title…
docs.microsoft.com
2
Resolving title…
pinvoke.net
3
Resolving title…
medium.com
MITRE ATT&CK

Other

detection.threat-hunting
Related Rules
SimilarDetectionhigh

Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
0e277796-5f23-4e49-a490-483131d4f6e1
Status
test
Level
medium
Type
Threat Hunt
Created
Sun Oct 27
Modified
Fri Mar 01
Author
Perez Diego, oscd.community, Ecco
Path
rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml
Raw Tags
attack.credential-accessattack.t1003.001detection.threat-hunting
View on GitHub