Skip to content

Hide Navigation Hide TOC

Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location (416bc4a2-7217-4519-8dc7-c3271817f1d5)

Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location (416bc4a2-7217-4519-8dc7-c3271817f1d5) Sigma-Rules Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location (416bc4a2-7217-4519-8dc7-c3271817f1d5) Sigma-Rules OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2