Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "sa_imageloaded" AND (OBJECTNAME endswith "\dbghelp.dll,\dbgcore.dll" AND PROCESSNAME endswith "\bash.exe,\cmd.exe,\cscript.exe,\dnx.exe,\excel.exe,\monitoringhost.exe,\msbuild.exe,\mshta.exe,\outlook.exe,\powerpnt.exe,\regsvcs.exe,\rundll32.exe,\sc.exe,\scriptrunner.exe,\winword.exe,\wmic.exe,\wscript.exe") AND ((COMMANDLINE notstartswith "C:\WINDOWS\WinSxS" OR COMMANDLINE notendswith "\TiWorker.exe -Embedding") AND (PROCESSNAME notendswith "\svchost.exe" OR COMMANDLINE notendswith "-k LocalServiceNetworkRestricted,-k WerSvcGroup") AND (PROCESSNAME notendswith "\rundll32.exe" OR COMMANDLINE notcontains "/d srrstr.dll,ExecuteScheduledSPPCreation,aepdu.dll,AePduRunUpdate,shell32.dll,OpenAs_RunDL,Windows.Storage.ApplicationData.dll,CleanupTemporaryState")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Perez Diego (@darkquassar), oscd.community, Ecco
