EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.

MITRE ATT&CK

T1003T1562.001
credential-accessdefense-evasion

Detection Query

selection_img:
  Image|contains:
    - :\Perflogs\
    - :\Temp\
    - :\Users\Public\
    - \$Recycle.Bin\
    - \Contacts\
    - \Documents\
    - \Favorites\
    - \Favourites\
    - \inetpub\wwwroot\
    - \Music\
    - \Pictures\
    - \Start Menu\Programs\Startup\
    - \Users\Default\
    - \Videos\
selection_dll:
  ImageLoaded|endswith:
    - \dbgcore.dll
    - \dbghelp.dll
condition: all of selection_*

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-11-27

Data Sources

windowsImage Load Events

Platforms

windows

References

Tags

attack.credential-accessattack.t1003attack.defense-evasionattack.t1562.001
Raw Content
title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
      type: similar
status: experimental
description: |
    Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
    These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
references:
    - https://blog.axelarator.net/hunting-for-edr-freeze/
    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
    - attack.credential-access
    - attack.t1003
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: image_load
    product: windows
detection:
    selection_img:
        Image|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Public\'
            - '\$Recycle.Bin\'
            - '\Contacts\'
            # - '\Desktop\'
            - '\Documents\'
            # - '\Downloads\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
            #  - '\AppData\Local\Temp\' some installers may load from here
    selection_dll:
        ImageLoaded|endswith:
            - '\dbgcore.dll'
            - '\dbghelp.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml