Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs

Rule Info

Name
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Reference
https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
Date
2025-11-27 00:00:00
Modified
None
Id
9f5c1d59-33be-4e60-bcab-85d2f566effd
Tags
attack.credential-access attack.t1003.001 attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9f5c1d59-33be-4e60-bcab-85d2f566effd

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
2025-12-10
c5b881019
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022