Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

Rule Info

Name
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
Reference
https://blog.axelarator.net/hunting-for-edr-freeze/
Date
2025-11-27 00:00:00
Modified
2026-01-09 00:00:00
Id
416bc4a2-7217-4519-8dc7-c3271817f1d5
Tags
attack.credential-access attack.defense-impairment attack.t1003 attack.t1685
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=416bc4a2-7217-4519-8dc7-c3271817f1d5

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
Swachchhanda Shrawan Poudel
Merge PR #5832 from @swachchhanda000 - fix: edr-freeze rules FPs analysed from VT
2026-03-19
a15dbdaa0
Swachchhanda Shrawan Poudel
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
2025-12-10
c5b881019
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022