Merge PR SigmaHQ#5777 from @swachchhanda000 - feat: more edrfreeze rules

new: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
new: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
new: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
new: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
update: Hacktool - EDR-Freeze Execution - add more coverage
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

Author: swachchhanda000

.github/workflows/known-FPs.csv

@@ -73,3 +73,4 @@ de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys
 8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\.exe
 c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*
 dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr
+416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe 

regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx

@@ -0,0 +1,59 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 7,
+      "Version": 3,
+      "Level": 4,
+      "Task": 7,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T07:57:32.309580Z"
+        }
+      },
+      "EventRecordID": 676402,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4264
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 07:57:32.308",
+      "ProcessGuid": "0197231E-046C-6928-160C-000000000D00",
+      "ProcessId": 296,
+      "Image": "C:\\Users\\Public\\wsass\\WerFaultSecure.exe",
+      "ImageLoaded": "C:\\Windows\\System32\\dbgcore.dll",
+      "FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)",
+      "Description": "Windows Core Debugging Helpers",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "DBGCORE.DLL",
+      "Hashes": "SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C",
+      "Signed": "true",
+      "Signature": "Microsoft Windows",
+      "SignatureStatus": "Valid",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.json

@@ -0,0 +1,12 @@
+id: bc1c627e-6529-459d-9bd6-74ffb88b3320
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
+      title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx

regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml

@@ -0,0 +1,59 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 7,
+      "Version": 3,
+      "Level": 4,
+      "Task": 7,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T07:40:10.165324Z"
+        }
+      },
+      "EventRecordID": 571146,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4272
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 07:40:10.132",
+      "ProcessGuid": "0197231E-005A-6928-A50B-000000000D00",
+      "ProcessId": 4460,
+      "Image": "C:\\Windows\\System32\\WerFaultSecure.exe",
+      "ImageLoaded": "C:\\Windows\\System32\\dbgcore.dll",
+      "FileVersion": "10.0.26100.7019 (WinBuild.160101.0800)",
+      "Description": "Windows Core Debugging Helpers",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "DBGCORE.DLL",
+      "Hashes": "SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C",
+      "Signed": "true",
+      "Signature": "Microsoft Windows",
+      "SignatureStatus": "Valid",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx

@@ -0,0 +1,12 @@
+id: 63b16abe-2d5c-4a2f-b0ae-f1bc4580e40c
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
+      title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx

regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json

@@ -0,0 +1,56 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 10,
+      "Version": 3,
+      "Level": 4,
+      "Task": 10,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-11-27T07:57:32.317336Z"
+        }
+      },
+      "EventRecordID": 676404,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3544,
+          "ThreadID": 4264
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-11-27 07:57:32.315",
+      "SourceProcessGUID": "0197231E-046C-6928-160C-000000000D00",
+      "SourceProcessId": 296,
+      "SourceThreadId": 5260,
+      "SourceImage": "C:\\Users\\Public\\wsass\\WerFaultSecure.exe",
+      "TargetProcessGUID": "0197231E-2DD5-691E-0C00-000000000D00",
+      "TargetProcessId": 860,
+      "TargetImage": "C:\\WINDOWS\\system32\\lsass.exe",
+      "GrantedAccess": "0x1fffff",
+      "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+16bcc4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+17aee0|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+7f7dc|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+c8d28|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+44c34|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+48f2c|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+3d414|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+29c7c|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+2a1f0|C:\\WINDOWS\\SYSTEM32\\dbgcore.DLL+4f894|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+3a64|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+2576|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+20c9|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+1a0b|C:\\Users\\Public\\wsass\\WerFaultSecure.exe+48cc|C:\\WINDOWS\\SYSTEM32\\KERNEL32.DLL+f17ac",
+      "SourceUser": "swachchhanda\\xodih",
+      "TargetUser": "NT AUTHORITY\\SYSTEM"
+    }
+  }
+}

regression_data/rules/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml

@@ -0,0 +1,12 @@
+id: f0a580dc-386c-4049-8ca4-cef9f956dc4c
+description: N/A
+date: 2025-11-27
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
+      title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx