Threat Huntmediumexperimental

WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze

Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection. However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity. When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load. Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts. Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Nov 27Updated Fri Jan 098a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2bwindows

Hunting Hypothesis

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\WerFaultSecure.exe'
        ImageLoaded|endswith:
            - '\dbgcore.dll'
            - '\dbghelp.dll'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Testevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Other

detection.threat-hunting

Related Rules

SimilarDetectionhigh

Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze

Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

PPL Tampering Via WerFaultSecure

Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b

Status

experimental

Level

medium

Type

Threat Hunt

Created

Thu Nov 27

Modified

Fri Jan 09

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml

Raw Tags

attack.defense-evasionattack.t1562.001detection.threat-hunting

View on GitHub