Adversaries may be sideloading a malicious version of DBGCORE.DLL to execute arbitrary code or escalate privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential DLL sideloading attacks that could lead to persistence or lateral movement.
Detection Rule
title: Potential DLL Sideloading Of DBGCORE.DLL
id: 9ca2bf31-0570-44d8-a543-534c47c33ed7
status: test
description: Detects DLL sideloading of "dbgcore.dll"
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-10-25
modified: 2025-10-06
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\dbgcore.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
filter_optional_steam:
ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
filter_optional_opera:
# C:\\Users\\User\\AppData\\Local\\Temp\\.opera\\Opera Installer Temp\\opera_package_202311051506321\\assistant\\dbgcore.dll
ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
ImageLoaded|endswith: '\assistant\dbgcore.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not((FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll" or (FolderPath contains "opera\\Opera Installer Temp\\opera_package" and FolderPath endswith "\\assistant\\dbgcore.dll"))))Scenario: Legitimate System Update via Windows Update
Description: A system update may deploy dbgcore.dll as part of a Windows update or service pack.
Filter/Exclusion: Check the file’s integrity using certutil -hashfile or verify the file path against known Windows system directories (e.g., C:\Windows\System32). Use a filter like file_path != "C:\Windows\System32\dbgcore.dll".
Scenario: Admin Task Using Process Monitor (ProcMon)
Description: An administrator may use Process Monitor to manually inspect or modify DLL loading behavior, including dbgcore.dll.
Filter/Exclusion: Exclude processes associated with procmon.exe or ProcessMonitor.exe using a filter like process_name != "procmon.exe".
Scenario: Scheduled Job for Log Collection or Monitoring
Description: A scheduled task may load dbgcore.dll as part of a log collection or monitoring tool (e.g., Splunk, ELK, or custom scripts).
Filter/Exclusion: Exclude processes associated with known monitoring tools (e.g., splunkd.exe, logstash.exe, or elasticsearch.exe) using a filter like process_name != "splunkd.exe".
Scenario: Third-Party Application Using dbgcore.dll
Description: A third-party application or service (e.g., a database tool, network diagnostic tool, or security software) may legitimately use dbgcore.dll.
Filter/Exclusion: Exclude processes from known trusted vendors (e.g., sqlservr.exe, mysql.exe, or wireshark.exe) using a filter like process_name != "sqlservr.exe".
Scenario: Debugging or Profiling Tool Usage
Description: A developer