Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

Sigma rule (View on GitHub)

 1title: Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
 2id: bdc64095-d59a-42a2-8588-71fd9c9d9abc
 3related:
 4    - id: 0e277796-5f23-4e49-a490-483131d4f6e1 # Suspicious Loading
 5      type: similar
 6status: test
 7description: |
 8    Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
 9    Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
10    As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.    
11references:
12    - https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
13    - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
14    - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
15author: Perez Diego (@darkquassar), oscd.community, Ecco
16date: 2019/10/27
17modified: 2022/12/09
18tags:
19    - attack.credential_access
20    - attack.t1003.001
21logsource:
22    category: image_load
23    product: windows
24detection:
25    selection:
26        ImageLoaded|endswith:
27            - '\dbghelp.dll'
28            - '\dbgcore.dll'
29        Signed: 'false'
30    condition: selection
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top