Detectionhighexperimental

Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Nov 27Updated Fri Jan 09416bc4a2-7217-4519-8dc7-c3271817f1d5windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection_img:
        Image|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Public\'
            - '\$Recycle.Bin\'
            - '\Contacts\'
            # - '\Desktop\'
            - '\Documents\'
            # - '\Downloads\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
            #  - '\AppData\Local\Temp\' some installers may load from here
    selection_dll:
        ImageLoaded|endswith:
            - '\dbgcore.dll'
            - '\dbghelp.dll'
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Testevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0006 · Credential Access TA0005 · Defense Evasion

Techniques

T1003 · OS Credential Dumping

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

SimilarDetectionhigh

Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs

Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

416bc4a2-7217-4519-8dc7-c3271817f1d5

Status

experimental

Level

high

Type

Detection

Created

Thu Nov 27

Modified

Fri Jan 09

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml

Raw Tags

attack.credential-accessattack.t1003attack.defense-evasionattack.t1562.001

View on GitHub