Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs

calendar Dec 10, 2025 · attack.credential-access attack.t1003.001 attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.

Sigma rule (View on GitHub)

 1title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
 2id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
 3related:
 4    - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
 5      type: similar
 6status: experimental
 7description: |
 8    Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
 9    These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
10    dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.    
11references:
12    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
13    - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2025-11-27
16tags:
17    - attack.credential-access
18    - attack.t1003.001
19    - attack.defense-evasion
20    - attack.t1562.001
21logsource:
22    category: process_access
23    product: windows
24detection:
25    selection_lsass_calltrace:
26        TargetImage|endswith: '\lsass.exe'
27        CallTrace|contains:
28            - 'dbgcore.dll'
29            - 'dbghelp.dll'
30    # The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious,
31    # but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory.
32    # Uncomment if you observe false positives with the default rule.
33    # selection_granted_access:
34    #     GrantedAccess|contains:
35    #         - '0x1fffff'
36    #         - '0x10'
37    #         - '0x1010'
38    #         - '0x1410'
39    #         - '0x1438'
40    selection_susp_location:
41        SourceImage|contains:
42            - ':\Perflogs\'
43            - ':\Temp\'
44            - ':\Users\Public\'
45            - '\$Recycle.Bin\'
46            - '\AppData\Roaming\'
47            - '\Contacts\'
48            - '\Desktop\'
49            - '\Documents\'
50            - '\Downloads\'
51            - '\Favorites\'
52            - '\Favourites\'
53            - '\inetpub\wwwroot\'
54            - '\Music\'
55            - '\Pictures\'
56            - '\Start Menu\Programs\Startup\'
57            - '\Users\Default\'
58            - '\Videos\'
59            - '\Windows\Temp\'
60    condition: all of selection_*
61falsepositives:
62    - Possibly during software installation or update processes
63level: high
64regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml

References

Related rules

to-top