Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs

Title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Status: experimental
Description:Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
References:
  -https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
  -https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-11-27
modified:None
Tags:

• -'attack.credential-access'
• -'attack.t1003.001'
• -'attack.defense-evasion'
• -'attack.t1562.001'

Logsource:

• category: process_access
• product: windows

Detection:
  selection_lsass_calltrace:
    TargetImage|endswith: '\lsass.exe'
    CallTrace|contains:
      -'dbgcore.dll'
      -'dbghelp.dll'

  selection_susp_location:
    SourceImage|contains:
      -':\Perflogs\'
      -':\Temp\'
      -':\Users\Public\'
      -'\$Recycle.Bin\'
      -'\AppData\Roaming\'
      -'\Contacts\'
      -'\Desktop\'
      -'\Documents\'
      -'\Downloads\'
      -'\Favorites\'
      -'\Favourites\'
      -'\inetpub\wwwroot\'
      -'\Music\'
      -'\Pictures\'
      -'\Start Menu\Programs\Startup\'
      -'\Users\Default\'
      -'\Videos\'
      -'\Windows\Temp\'

  condition:all of selection_*
Falsepositives:
  -Possibly during software installation or update processes
Level: high