EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze

Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection. However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity. When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load. Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts. Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.

MITRE ATT&CK

T1685

Detection Query

selection:
  Image|endswith: \WerFaultSecure.exe
  ImageLoaded|endswith:
    - \dbgcore.dll
    - \dbghelp.dll
condition: selection

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-11-27

Data Sources

windowsImage Load Events

Platforms

windows

References

Tags

attack.defense-impairmentattack.t1685detection.threat-hunting
Raw Content
title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
related:
    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
      type: similar
    - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
      type: similar
status: experimental
description: |
    Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection.
    However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity.
    When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load.
    Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts.
    Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
references:
    - https://github.com/TwoSevenOneT/EDR-Freeze
    - https://blog.axelarator.net/hunting-for-edr-freeze/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
    - attack.defense-impairment
    - attack.t1685
    - detection.threat-hunting
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\WerFaultSecure.exe'
        ImageLoaded|endswith:
            - '\dbgcore.dll'
            - '\dbghelp.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml