Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Perez Diego, oscd.community, EccoCreated Sun Oct 27Updated Fri Dec 09bdc64095-d59a-42a2-8588-71fd9c9d9abcwindows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
    selection:
        ImageLoaded|endswith:
            - '\dbghelp.dll'
            - '\dbgcore.dll'
        Signed: 'false'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
pinvoke.net
3
Resolving title…
medium.com
MITRE ATT&CK
Related Rules
SimilarThreat Huntmedium

Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process

Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
bdc64095-d59a-42a2-8588-71fd9c9d9abc
Status
test
Level
high
Type
Detection
Created
Sun Oct 27
Modified
Fri Dec 09
Author
Perez Diego, oscd.community, Ecco
Path
rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml
Raw Tags
attack.credential-accessattack.t1003.001
View on GitHub