Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

 1title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
 2id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
 3related:
 4    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
 5      type: similar
 6status: experimental
 7description: |
 8    Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
 9    These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.    
10references:
11    - https://blog.axelarator.net/hunting-for-edr-freeze/
12    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
13    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2025-11-27
16modified: 2026-01-09
17tags:
18    - attack.credential-access
19    - attack.t1003
20    - attack.defense-evasion
21    - attack.t1562.001
22logsource:
23    category: image_load
24    product: windows
25detection:
26    selection_img:
27        Image|contains:
28            - ':\Perflogs\'
29            - ':\Temp\'
30            - ':\Users\Public\'
31            - '\$Recycle.Bin\'
32            - '\Contacts\'
33            # - '\Desktop\'
34            - '\Documents\'
35            # - '\Downloads\'
36            - '\Favorites\'
37            - '\Favourites\'
38            - '\inetpub\wwwroot\'
39            - '\Music\'
40            - '\Pictures\'
41            - '\Start Menu\Programs\Startup\'
42            - '\Users\Default\'
43            - '\Videos\'
44            #  - '\AppData\Local\Temp\' some installers may load from here
45    selection_dll:
46        ImageLoaded|endswith:
47            - '\dbgcore.dll'
48            - '\dbghelp.dll'
49    condition: all of selection_*
50falsepositives:
51    - Unknown
52level: high
53regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml

References

• Hunting for EDR-Freeze

  

  EDR bypassing has become a technique of choice for threat actors and has enabled a market of tools being sold on cybercrime forums: * Unit42 uncovered a variant of EDRSandBlast being sold on XSS and Exploit. * CheckPoint Research uncovered the use of a vulnerable driver, Truesight.sys, which evaded the Microsoft

  
  Read More

• EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State

  

  EDR-Freeze exploits the vulnerability of WerFaultSecure to suspend the processes of EDRs and Antimalware, halting the operation of Antivirus and EDR

  
  Read More

• You Bet Your Lsass: Hunting LSASS Access | Splunk

  

  Dive in as the Splunk Threat Research Team shares how Mimikatz, and a few other tools found in Atomic Red Team, access credentials via LSASS memory.

  
  Read More

Related rules

• PPL Tampering Via WerFaultSecure
• Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
• Suspicious SYSTEM User Process Creation
• HackTool - Rubeus Execution
• HackTool - Rubeus Execution - ScriptBlock