Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

 1title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
 2id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
 3related:
 4    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
 5      type: similar
 6status: experimental
 7description: |
 8    Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
 9    These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.    
10references:
11    - https://blog.axelarator.net/hunting-for-edr-freeze/
12    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
13    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2025-11-27
16tags:
17    - attack.credential-access
18    - attack.t1003
19    - attack.defense-evasion
20    - attack.t1562.001
21logsource:
22    category: image_load
23    product: windows
24detection:
25    selection_img:
26        Image|contains:
27            - ':\Perflogs\'
28            - ':\Temp\'
29            - ':\Users\Public\'
30            - '\$Recycle.Bin\'
31            - '\Contacts\'
32            - '\Desktop\'
33            - '\Documents\'
34            - '\Downloads\'
35            - '\Favorites\'
36            - '\Favourites\'
37            - '\inetpub\wwwroot\'
38            - '\Music\'
39            - '\Pictures\'
40            - '\Start Menu\Programs\Startup\'
41            - '\Users\Default\'
42            - '\Videos\'
43            #  - '\AppData\Local\Temp\' some installers may load from here
44    selection_dll:
45        ImageLoaded|endswith:
46            - '\dbgcore.dll'
47            - '\dbghelp.dll'
48    condition: all of selection_*
49falsepositives:
50    - Possibly during software installation or update processes
51level: high
52regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml

References

• Hunting for EDR-Freeze

  

  EDR bypassing has become a technique of choice for threat actors and has enabled a market of tools being sold on cybercrime forums: * Unit42 uncovered a variant of EDRSandBlast being sold on XSS and Exploit. * CheckPoint Research uncovered the use of a vulnerable driver, Truesight.sys, which evaded the Microsoft

  
  Read More

• EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State

  

  EDR-Freeze exploits the vulnerability of WerFaultSecure to suspend the processes of EDRs and Antimalware, halting the operation of Antivirus and EDR

  
  Read More

• You Bet Your Lsass: Hunting LSASS Access | Splunk

  

  Dive in as the Splunk Threat Research Team shares how Mimikatz, and a few other tools found in Atomic Red Team, access credentials via LSASS memory.

  
  Read More

Related rules

• PPL Tampering Via WerFaultSecure
• Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
• Suspicious SYSTEM User Process Creation
• HackTool - Rubeus Execution
• HackTool - Rubeus Execution - ScriptBlock