Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential DLL Sideloading Of DBGCORE.DLL

Detects DLL sideloading of "dbgcore.dll"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)Created Tue Oct 25Updated Mon Oct 069ca2bf31-0570-44d8-a543-534c47c33ed7windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic4 selectors
detection:
    selection:
        ImageLoaded|endswith: '\dbgcore.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    filter_optional_steam:
        ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
    filter_optional_opera:
        # C:\\Users\\User\\AppData\\Local\\Temp\\.opera\\Opera Installer Temp\\opera_package_202311051506321\\assistant\\dbgcore.dll
        ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
        ImageLoaded|endswith: '\assistant\dbgcore.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Legitimate applications loading their own versions of the DLL mentioned in this rule

References
1
Resolving title…
hijacklibs.net
MITRE ATT&CK
Rule Metadata
Rule ID
9ca2bf31-0570-44d8-a543-534c47c33ed7
Status
test
Level
medium
Type
Detection
Created
Tue Oct 25
Modified
Mon Oct 06
Author
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
Path
rules/windows/image_load/image_load_side_load_dbgcore.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001
View on GitHub