Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

Title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Status: experimental
Description:Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
References:
  -https://blog.axelarator.net/hunting-for-edr-freeze/
  -https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
  -https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-11-27
modified:None
Tags:

• -'attack.credential-access'
• -'attack.t1003'
• -'attack.defense-evasion'
• -'attack.t1562.001'

Logsource:

• category: image_load
• product: windows

Detection:
  selection_img:
    Image|contains:
      -':\Perflogs\'
      -':\Temp\'
      -':\Users\Public\'
      -'\$Recycle.Bin\'
      -'\Contacts\'
      -'\Desktop\'
      -'\Documents\'
      -'\Downloads\'
      -'\Favorites\'
      -'\Favourites\'
      -'\inetpub\wwwroot\'
      -'\Music\'
      -'\Pictures\'
      -'\Start Menu\Programs\Startup\'
      -'\Users\Default\'
      -'\Videos\'

  selection_dll:
    ImageLoaded|endswith:
      -'\dbgcore.dll'
      -'\dbghelp.dll'

  condition:all of selection_*
Falsepositives:
  -Possibly during software installation or update processes
Level: high