Techniques
Sample rules
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
- source: sigma
- technicques:
- t1003
- t1003.001
- t1562
- t1562.001
Description
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Detection logic
condition: all of selection_*
selection_lsass_calltrace:
CallTrace|contains:
- dbgcore.dll
- dbghelp.dll
TargetImage|endswith: \lsass.exe
selection_susp_location:
SourceImage|contains:
- :\Perflogs\
- :\Temp\
- :\Users\Public\
- \$Recycle.Bin\
- \AppData\Roaming\
- \Contacts\
- \Desktop\
- \Documents\
- \Downloads\
- \Favorites\
- \Favourites\
- \inetpub\wwwroot\
- \Music\
- \Pictures\
- \Start Menu\Programs\Startup\
- \Users\Default\
- \Videos\
- \Windows\Temp\
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
- source: sigma
- technicques:
- t1003
- t1562
- t1562.001
Description
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
Detection logic
condition: all of selection_*
selection_dll:
ImageLoaded|endswith:
- \dbgcore.dll
- \dbghelp.dll
selection_img:
Image|contains:
- :\Perflogs\
- :\Temp\
- :\Users\Public\
- \$Recycle.Bin\
- \Contacts\
- \Desktop\
- \Documents\
- \Downloads\
- \Favorites\
- \Favourites\
- \inetpub\wwwroot\
- \Music\
- \Pictures\
- \Start Menu\Programs\Startup\
- \Users\Default\
- \Videos\