← Back to SOC feed Coverage →

Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

sigma HIGH SigmaHQ
T1003T1562.001
DeviceImageLoadEvents
credential-theft
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-03-25T02:49:04Z · Confidence: low

Hunt Hypothesis

Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes o

Detection Rule

Sigma (Original)

title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
      type: similar
status: experimental
description: |
    Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
    These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
references:
    - https://blog.axelarator.net/hunting-for-edr-freeze/
    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
    - attack.credential-access
    - attack.t1003
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: image_load
    product: windows
detection:
    selection_img:
        Image|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Public\'
            - '\$Recycle.Bin\'
            - '\Contacts\'
            # - '\Desktop\'
            - '\Documents\'
            # - '\Downloads\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
            #  - '\AppData\Local\Temp\' some installers may load from here
    selection_dll:
        ImageLoaded|endswith:
            - '\dbgcore.dll'
            - '\dbghelp.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml

KQL (Microsoft 365 Defender)

DeviceImageLoadEvents
| where (InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\$Recycle.Bin\\" or InitiatingProcessFolderPath contains "\\Contacts\\" or InitiatingProcessFolderPath contains "\\Documents\\" or InitiatingProcessFolderPath contains "\\Favorites\\" or InitiatingProcessFolderPath contains "\\Favourites\\" or InitiatingProcessFolderPath contains "\\inetpub\\wwwroot\\" or InitiatingProcessFolderPath contains "\\Music\\" or InitiatingProcessFolderPath contains "\\Pictures\\" or InitiatingProcessFolderPath contains "\\Start Menu\\Programs\\Startup\\" or InitiatingProcessFolderPath contains "\\Users\\Default\\" or InitiatingProcessFolderPath contains "\\Videos\\") and (FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\dbghelp.dll")

Required Data Sources

Sentinel TableNotes
DeviceImageLoadEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml