Detectionhighexperimental

Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs

Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Nov 279f5c1d59-33be-4e60-bcab-85d2f566effdwindows

Log Source

WindowsProcess Access

ProductWindows← raw: windows

CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic

detection:
    selection_lsass_calltrace:
        TargetImage|endswith: '\lsass.exe'
        CallTrace|contains:
            - 'dbgcore.dll'
            - 'dbghelp.dll'
    # The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious,
    # but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory.
    # Uncomment if you observe false positives with the default rule.
    # selection_granted_access:
    #     GrantedAccess|contains:
    #         - '0x1fffff'
    #         - '0x10'
    #         - '0x1010'
    #         - '0x1410'
    #         - '0x1438'
    selection_susp_location:
        SourceImage|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Public\'
            - '\$Recycle.Bin\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Desktop\'
            - '\Documents\'
            - '\Downloads\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
            - '\Windows\Temp\'
    condition: all of selection_*

False Positives

Possibly during software installation or update processes

References

Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Testevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0006 · Credential Access TA0005 · Defense Evasion

Sub-techniques

T1003.001 · LSASS Memory T1562.001 · Disable or Modify Tools

Related Rules

SimilarDetectionhigh

Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9f5c1d59-33be-4e60-bcab-85d2f566effd

Status

experimental

Level

high

Type

Detection

Created

Thu Nov 27

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml

Raw Tags

attack.credential-accessattack.t1003.001attack.defense-evasionattack.t1562.001

View on GitHub