Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location

Rule Info

Name
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
Reference
https://blog.axelarator.net/hunting-for-edr-freeze/
Date
2025-11-27 00:00:00
Modified
None
Id
416bc4a2-7217-4519-8dc7-c3271817f1d5
Tags
attack.credential-access attack.t1003 attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=416bc4a2-7217-4519-8dc7-c3271817f1d5

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
2025-12-10
c5b881019
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022