Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules

new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze update: Hacktool - EDR-Freeze Execution - add more coverage --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2025-12-10 20:14:38 +05:45
parent cce4545c10
commit c5b881019a
29 changed files with 721 additions and 2 deletions
@@ -73,3 +73,4 @@ de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys
 8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe
 c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*
 dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
+416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe 
@@ -0,0 +1,59 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 7,
+      "Version": 3,
+      "Level": 4,
+      "Task": 7,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T07:57:32.309580Z"
+        }
+      },
+      "EventRecordID": 676402,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4264
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 07:57:32.308",
+      "ProcessGuid": "0197231E-046C-6928-160C-000000000D00",
+      "ProcessId": 296,
+      "Image": "C:\\Users\\Public\\wsass\\WerFaultSecure.exe",
+      "ImageLoaded": "C:\\Windows\\System32\\dbgcore.dll",
+      "FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)",
+      "Description": "Windows Core Debugging Helpers",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "DBGCORE.DLL",
+      "Hashes": "SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C",
+      "Signed": "true",
+      "Signature": "Microsoft Windows",
+      "SignatureStatus": "Valid",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,12 @@
+id: bc1c627e-6529-459d-9bd6-74ffb88b3320
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
+      title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx
@@ -0,0 +1,59 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 7,
+      "Version": 3,
+      "Level": 4,
+      "Task": 7,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T07:40:10.165324Z"
+        }
+      },
+      "EventRecordID": 571146,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4272
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 07:40:10.132",
+      "ProcessGuid": "0197231E-005A-6928-A50B-000000000D00",
+      "ProcessId": 4460,
+      "Image": "C:\\Windows\\System32\\WerFaultSecure.exe",
+      "ImageLoaded": "C:\\Windows\\System32\\dbgcore.dll",
+      "FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)",
+      "Description": "Windows Core Debugging Helpers",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "DBGCORE.DLL",
+      "Hashes": "SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C",
+      "Signed": "true",
+      "Signature": "Microsoft Windows",
+      "SignatureStatus": "Valid",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,12 @@
+id: 63b16abe-2d5c-4a2f-b0ae-f1bc4580e40c
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
+      title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx
@@ -0,0 +1,56 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 10,
+      "Version": 3,
+      "Level": 4,
+      "Task": 10,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T07:57:32.317336Z"
+        }
+      },
+      "EventRecordID": 676404,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4264
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 07:57:32.315",
+      "SourceProcessGUID": "0197231E-046C-6928-160C-000000000D00",
+      "SourceProcessId": 296,
+      "SourceThreadId": 5260,
+      "SourceImage": "C:\\Users\\Public\\wsass\\WerFaultSecure.exe",
+      "TargetProcessGUID": "0197231E-2DD5-691E-0C00-000000000D00",
+      "TargetProcessId": 860,
+      "TargetImage": "C:\\WINDOWS\\system32\\lsass.exe",
+      "GrantedAccess": "0x1fffff",
+      "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+16bcc4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+17aee0|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+7f7dc|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+c8d28|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+44c34|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+48f2c|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+3d414|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+29c7c|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+2a1f0|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+4f894|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+3a64|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+2576|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+20c9|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+1a0b|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+48cc|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+f17ac",
+      "SourceUser": "swachchhanda\\xodih",
+      "TargetUser": "NT AUTHORITY\\SYSTEM"
+    }
+  }
+}
@@ -0,0 +1,12 @@
+id: f0a580dc-386c-4049-8ca4-cef9f956dc4c
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
+      title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx
@@ -0,0 +1,56 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 10,
+      "Version": 3,
+      "Level": 4,
+      "Task": 10,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T07:22:22.033828Z"
+        }
+      },
+      "EventRecordID": 445923,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4264
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 07:22:22.031",
+      "SourceProcessGUID": "0197231E-FC2D-6927-810B-000000000D00",
+      "SourceProcessId": 7224,
+      "SourceThreadId": 4144,
+      "SourceImage": "C:\\Windows\\System32\\WerFaultSecure.exe",
+      "TargetProcessGUID": "0197231E-2DD8-691E-4D00-000000000D00",
+      "TargetProcessId": 3472,
+      "TargetImage": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25100.9008-0\\MsMpEng.exe",
+      "GrantedAccess": "0x1fffff",
+      "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+1284|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+185c4|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+4fe50|C:\\Windows\\System32\\dbgcore.DLL+164cc|C:\\Windows\\System32\\dbgcore.DLL+23e6c|C:\\Windows\\System32\\dbgcore.DLL+1b230|C:\\Windows\\System32\\dbgcore.DLL+112b4|C:\\Windows\\System32\\dbgcore.DLL+117a8|C:\\Windows\\System32\\WerFaultSecure.exe+115a4|C:\\Windows\\System32\\WerFaultSecure.exe+6a9c|C:\\Windows\\System32\\WerFaultSecure.exe+7378|C:\\Windows\\System32\\WerFaultSecure.exe+834c|C:\\Windows\\System32\\WerFaultSecure.exe+2748|C:\\Windows\\System32\\WerFaultSecure.exe+27e4|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+8740|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+d4464",
+      "SourceUser": "swachchhanda\\xodih",
+      "TargetUser": "NT AUTHORITY\\SYSTEM"
+    }
+  }
+}
@@ -0,0 +1,12 @@
+id: bd66a891-01c3-40b6-aafd-5c1676b44cf3
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
+      title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T08:12:45.123135Z"
+        }
+      },
+      "EventRecordID": 733841,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4264
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 08:12:45.093",
+      "ProcessGuid": "0197231E-07FD-6928-290C-000000000D00",
+      "ProcessId": 9388,
+      "Image": "C:\\Users\\xodih\\Downloads\\EDRFreeze-gnu.exe",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "EDRFreeze-gnu.exe  3472 10000",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-B736-6923-B25C-3B0000000000",
+      "LogonId": "0x3b5cb2",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "SHA1=67582B0B646E9E23846A8A9D9E412DCFABC0CCA0,MD5=A3BE334229BEBE056335780502747595,SHA256=0502C36D1F146A6B6BE31F7D7D65FEEF96A3FB3F3743DFFC38BB47AE426849F3,IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7",
+      "ParentProcessGuid": "0197231E-CC5A-6927-B80A-000000000D00",
+      "ParentProcessId": 4952,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,12 @@
+id: f668b689-59c5-41a7-bc0b-22168d3df14e
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: c598cc0c-9e70-4852-b9eb-8921af79f598
+      title: Hacktool - EDR-Freeze Execution
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.evtx
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T07:57:32.087108Z"
+        }
+      },
+      "EventRecordID": 676334,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4264
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 07:57:32.080",
+      "ProcessGuid": "0197231E-046C-6928-150C-000000000D00",
+      "ProcessId": 7088,
+      "Image": "C:\\Users\\Public\\wsass\\WSASS.exe",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "WSASS.exe  WerFaultSecure.exe 860",
+      "CurrentDirectory": "C:\\Users\\Public\\wsass\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-B736-6923-B25C-3B0000000000",
+      "LogonId": "0x3b5cb2",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "SHA1=63AF15DCCB5CA8704918B7A8BFD0308726B2D7FD,MD5=D7A969E5A3636BF8FC9CA8A72021BFDC,SHA256=0977C9337EC1215C48A666464AFDA5C9A30CD24999A5F8E821E672991864A74C,IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42",
+      "ParentProcessGuid": "0197231E-0250-6928-D30B-000000000D00",
+      "ParentProcessId": 11640,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,12 @@
+id: e3ffac4e-8507-43f9-9542-4c9f10f49d3a
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 589ac73f-8e12-409c-964e-31a2f5775ae2
+      title: HackTool - WSASS Execution
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.evtx
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T08:12:45.186674Z"
+        }
+      },
+      "EventRecordID": 733879,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4264
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 08:12:45.183",
+      "ProcessGuid": "0197231E-07FD-6928-2A0C-000000000D00",
+      "ProcessId": 3532,
+      "Image": "C:\\Windows\\System32\\WerFaultSecure.exe",
+      "FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)",
+      "Description": "Windows Fault Reporting",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "WerFaultSecure.exe",
+      "CommandLine": "C:\\Windows\\System32\\WerFaultSecure.exe /h /pid 3472 /tid 3476 /encfile 304 /cancel 364 /type 268310",
+      "CurrentDirectory": "C:\\WINDOWS",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-B736-6923-B25C-3B0000000000",
+      "LogonId": "0x3b5cb2",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "SHA1=9521BDCD891789724786BDCB9C9468A06818EDDC,MD5=C5A2014C3BC84EDCEEF5185AEA3BB5E0,SHA256=1C60BA5771201F7AEE44DCA30CBCBF78F6E3C39F30AD0A5C6C7BC8137A475EAA,IMPHASH=79E7A5E4F18B29329345D2098E1B95EB",
+      "ParentProcessGuid": "0197231E-07FD-6928-290C-000000000D00",
+      "ParentProcessId": 9388,
+      "ParentImage": "C:\\Users\\xodih\\Downloads\\EDRFreeze-gnu.exe",
+      "ParentCommandLine": "EDRFreeze-gnu.exe  3472 10000",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,12 @@
+id: 68010a5c-f8bf-4a2c-8cd0-038d4009805e
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
+      title: PPL Tampering Via WerFaultSecure
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx
@@ -0,0 +1,52 @@
+title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
+id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
+related:
+    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
+      type: similar
+status: experimental
+description: |
+    Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
+    These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
+references:
+    - https://blog.axelarator.net/hunting-for-edr-freeze/
+    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
+    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-11-27
+tags:
+    - attack.credential-access
+    - attack.t1003
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection_img:
+        Image|contains:
+            - ':\Perflogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - '\$Recycle.Bin\'
+            - '\Contacts\'
+            - '\Desktop\'
+            - '\Documents\'
+            - '\Downloads\'
+            - '\Favorites\'
+            - '\Favourites\'
+            - '\inetpub\wwwroot\'
+            - '\Music\'
+            - '\Pictures\'
+            - '\Start Menu\Programs\Startup\'
+            - '\Users\Default\'
+            - '\Videos\'
+            #  - '\AppData\Local\Temp\' some installers may load from here
+    selection_dll:
+        ImageLoaded|endswith:
+            - '\dbgcore.dll'
+            - '\dbghelp.dll'
+    condition: all of selection_*
+falsepositives:
+    - Possibly during software installation or update processes
+level: high
+regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml
@@ -0,0 +1,35 @@
+title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
+id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
+related:
+    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
+      type: similar
+    - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
+      type: similar
+status: experimental
+description: |
+    Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function.
+    The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot.
+    The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes.
+    By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period.
+references:
+    - https://github.com/TwoSevenOneT/EDR-Freeze
+    - https://blog.axelarator.net/hunting-for-edr-freeze/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-11-27
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\WerFaultSecure.exe'
+        ImageLoaded|endswith:
+            - '\dbgcore.dll'
+            - '\dbghelp.dll'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+regression_tests_path: regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml
@@ -0,0 +1,64 @@
+title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
+id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
+related:
+    - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
+      type: similar
+status: experimental
+description: |
+    Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
+    These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
+    dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
+references:
+    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
+    - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-11-27
+tags:
+    - attack.credential-access
+    - attack.t1003.001
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_access
+    product: windows
+detection:
+    selection_lsass_calltrace:
+        TargetImage|endswith: '\lsass.exe'
+        CallTrace|contains:
+            - 'dbgcore.dll'
+            - 'dbghelp.dll'
+    # The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious,
+    # but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory.
+    # Uncomment if you observe false positives with the default rule.
+    # selection_granted_access:
+    #     GrantedAccess|contains:
+    #         - '0x1fffff'
+    #         - '0x10'
+    #         - '0x1010'
+    #         - '0x1410'
+    #         - '0x1438'
+    selection_susp_location:
+        SourceImage|contains:
+            - ':\Perflogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - '\$Recycle.Bin\'
+            - '\AppData\Roaming\'
+            - '\Contacts\'
+            - '\Desktop\'
+            - '\Documents\'
+            - '\Downloads\'
+            - '\Favorites\'
+            - '\Favourites\'
+            - '\inetpub\wwwroot\'
+            - '\Music\'
+            - '\Pictures\'
+            - '\Start Menu\Programs\Startup\'
+            - '\Users\Default\'
+            - '\Videos\'
+            - '\Windows\Temp\'
+    condition: all of selection_*
+falsepositives:
+    - Possibly during software installation or update processes
+level: high
+regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml
@@ -0,0 +1,42 @@
+title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
+id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
+related:
+    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
+      type: similar
+    - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
+      type: similar
+status: experimental
+description: |
+    Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.
+    This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
+references:
+    - https://blog.axelarator.net/hunting-for-edr-freeze/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-11-27
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_access
+    product: windows
+    definition: |
+        Requires Sysmon Event ID 10 (ProcessAccess) with CallTrace enabled.
+        Example sysmon config snippet with grouping, as logging individual ProcessAccess events can generate excessive logs:
+        <ProcessAccess onmatch="include">
+            <Rule groupRelation="and">
+            <TargetImage condition="end with">\MsMpEng.exe</TargetImage>
+            <SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
+            </Rule>
+        </ProcessAccess>
+detection:
+    selection:
+        SourceImage|endswith: '\WerFaultSecure.exe'
+        TargetImage|endswith: '\MsMpEng.exe'
+        CallTrace|contains:
+            - '\dbgcore.dll'
+            - '\dbghelp.dll'
+    condition: selection
+falsepositives:
+    - Legitimate Windows Error Reporting operations
+level: high
+regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml
@@ -5,11 +5,12 @@ description: |
    Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
    EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
    This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
-date: 2025-09-24
 references:
    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
    - https://github.com/TwoSevenOneT/EDR-Freeze
 author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-09-24
+modified: 2025-11-27
 tags:
    - attack.defense-evasion
    - attack.t1562.001
@@ -18,7 +19,9 @@ logsource:
    product: windows
 detection:
    selection_img:
-        Image|contains: '\EDR-Freeze'
+        Image|contains:
+            - '\EDR-Freeze'
+            - '\EDRFreeze'
        Image|endswith: '.exe'
    selection_imphash:
        Hashes|contains:
@@ -28,7 +31,10 @@ detection:
            - 'IMPHASH=8828F0B906F7844358FB92A899E9520F'
            - 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'
            - 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'
+            - 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0'
+            - 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7'
    condition: 1 of selection_*
 falsepositives:
    - Unlikely
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml
@@ -29,3 +29,4 @@ detection:
 falsepositives:
    - Unlikely
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml
@@ -1,5 +1,10 @@
 title: PPL Tampering Via WerFaultSecure
 id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
+related:
+    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
+      type: similar
+    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
+      type: similar
 status: experimental
 description: |
    Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
@@ -41,3 +46,4 @@ detection:
 falsepositives:
    - Legitimate usage of WerFaultSecure for debugging purposes
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml