Detection rules › Sigma

Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process

Status
test
Severity
medium
Author
Perez Diego (@darkquassar), oscd.community, Ecco
Source
github.com/SigmaHQ/sigma

Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003.001 OS Credential Dumping: LSASS Memory

Event coverage

ProviderEventTitle
SysmonEvent ID 7Image loaded

Rule body yaml

title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
id: 0e277796-5f23-4e49-a490-483131d4f6e1
related:
    - id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading
      type: similar
status: test
description: |
    Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
    The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
    As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
    Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
references:
    - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
    - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
    - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019-10-27
modified: 2024-03-01
tags:
    - attack.credential-access
    - attack.t1003.001
    - detection.threat-hunting
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\dbghelp.dll'
            - '\dbgcore.dll'
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\dnx.exe'
            - '\excel.exe'
            - '\monitoringhost.exe'
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\regsvcs.exe'
            - '\rundll32.exe'
            - '\sc.exe'
            - '\scriptrunner.exe'
            - '\winword.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            # - '\powershell.exe' # Note: Triggered by installing common software
            # - '\regsvr32.exe'  # Note: triggered by installing common software
            # - '\schtasks.exe'  # Note: triggered by installing software
            # - '\svchost.exe'  # Note: triggered by some services
    filter_main_tiworker:
        # Note: This filter requires "CommandLine" field enrichment
        CommandLine|startswith: 'C:\WINDOWS\WinSxS\'
        CommandLine|endswith: '\TiWorker.exe -Embedding'
    filter_main_generic:
        # Note: This filter requires "CommandLine" field enrichment
        Image|endswith: '\svchost.exe'
        CommandLine|endswith:
            - '-k LocalServiceNetworkRestricted'
            - '-k WerSvcGroup'
    filter_main_rundll32:
        # Note: This filter requires "CommandLine" field enrichment
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - '/d srrstr.dll,ExecuteScheduledSPPCreation'
            - 'aepdu.dll,AePduRunUpdate'
            - 'shell32.dll,OpenAs_RunDL'
            - 'Windows.Storage.ApplicationData.dll,CleanupTemporaryState'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Debugging scripts might leverage this DLL in order to dump process memory for further analysis.
level: medium

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_*

Stage 1: selection

selection:
    ImageLoaded|endswith:
        - '\dbghelp.dll'
        - '\dbgcore.dll'
    Image|endswith:
        - '\bash.exe'
        - '\cmd.exe'
        - '\cscript.exe'
        - '\dnx.exe'
        - '\excel.exe'
        - '\monitoringhost.exe'
        - '\msbuild.exe'
        - '\mshta.exe'
        - '\outlook.exe'
        - '\powerpnt.exe'
        - '\regsvcs.exe'
        - '\rundll32.exe'
        - '\sc.exe'
        - '\scriptrunner.exe'
        - '\winword.exe'
        - '\wmic.exe'
        - '\wscript.exe'
        # - '\powershell.exe' # Note: Triggered by installing common software
        # - '\regsvr32.exe'  # Note: triggered by installing common software
        # - '\schtasks.exe'  # Note: triggered by installing software
        # - '\svchost.exe'  # Note: triggered by some services

Stage 2: not filter_main_*

filter_main_tiworker:
    # Note: This filter requires "CommandLine" field enrichment
    CommandLine|startswith: 'C:\WINDOWS\WinSxS\'
    CommandLine|endswith: '\TiWorker.exe -Embedding'
filter_main_generic:
    # Note: This filter requires "CommandLine" field enrichment
    Image|endswith: '\svchost.exe'
    CommandLine|endswith:
        - '-k LocalServiceNetworkRestricted'
        - '-k WerSvcGroup'
filter_main_rundll32:
    # Note: This filter requires "CommandLine" field enrichment
    Image|endswith: '\rundll32.exe'
    CommandLine|contains:
        - '/d srrstr.dll,ExecuteScheduledSPPCreation'
        - 'aepdu.dll,AePduRunUpdate'
        - 'shell32.dll,OpenAs_RunDL'
        - 'Windows.Storage.ApplicationData.dll,CleanupTemporaryState'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
2CommandLineends_with-k LocalServiceNetworkRestricted
2CommandLineends_with-k WerSvcGroup
2Imageends_with\svchost.exe
2CommandLinematch/d srrstr.dll,ExecuteScheduledSPPCreation
2CommandLinematchWindows.Storage.ApplicationData.dll,CleanupTemporaryState
2CommandLinematchaepdu.dll,AePduRunUpdate
2CommandLinematchshell32.dll,OpenAs_RunDL
2Imageends_with\rundll32.exe
2CommandLineends_with\TiWorker.exe -Embedding
2CommandLinestarts_withC:\WINDOWS\WinSxS\

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \bash.exe corpus 22 (sigma 22)
  • \cmd.exe corpus 134 (sigma 134)
  • \cscript.exe corpus 76 (sigma 76)
  • \dnx.exe corpus 3 (sigma 3)
  • \excel.exe corpus 24 (sigma 24)
  • \monitoringhost.exe corpus 2 (sigma 2)
  • \msbuild.exe corpus 10 (sigma 10)
  • \mshta.exe corpus 69 (sigma 69)
  • \outlook.exe corpus 21 (sigma 21)
  • \powerpnt.exe corpus 19 (sigma 19)
  • \regsvcs.exe corpus 8 (sigma 8)
  • \rundll32.exe corpus 103 (sigma 103)
  • \sc.exe corpus 30 (sigma 30)
  • \scriptrunner.exe corpus 12 (sigma 12)
  • \winword.exe corpus 27 (sigma 27)
  • \wmic.exe corpus 61 (sigma 61)
  • \wscript.exe corpus 78 (sigma 78)
ImageLoadedends_with
  • \dbgcore.dll corpus 6 (sigma 6)
  • \dbghelp.dll corpus 6 (sigma 6)