Detection rules › Sigma
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
| Credential Access | T1003 OS Credential Dumping |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|contains: ':\Perflogs\'
Image|contains: ':\Temp\'
Image|contains: ':\Users\Public\'
Image|contains: '\$Recycle.Bin\'
Image|contains: '\Contacts\'
Image|contains: '\Documents\'
Image|contains: '\Favorites\'
Image|contains: '\Favourites\'
Image|contains: '\Music\'
Image|contains: '\Pictures\'
Image|contains: '\Start Menu\Programs\Startup\'
Image|contains: '\Users\Default\'
Image|contains: '\Videos\'
Image|contains: '\inetpub\wwwroot\'
Stage 2: all of selection_dll
or:
ImageLoaded|endswith: '\dbgcore.dll'
ImageLoaded|endswith: '\dbghelp.dll'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | match |
|
ImageLoaded | ends_with |
|