Potential EACore.DLL Sideloading
Detects potential DLL sideloading of "EACore.dll"
Sigma rule (View on GitHub)
1title: Potential EACore.DLL Sideloading
2id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
3status: test
4description: Detects potential DLL sideloading of "EACore.dll"
5references:
6 - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
7author: X__Junior (Nextron Systems)
8date: 2023-08-03
9tags:
10 - attack.defense-evasion
11 - attack.privilege-escalation
12 - attack.t1574.001
13 - attack.t1574.002
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 ImageLoaded|endswith: '\EACore.dll'
20 filter_main_legit_path:
21 Image|contains|all:
22 - 'C:\Program Files\Electronic Arts\EA Desktop\'
23 - '\EACoreServer.exe'
24 ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Unlikely
28level: high
References
-
Executive summary Introduction In early 2023, CPIRT investigated an incident at a European hospital. The investigation showed that the malicious activity observed was likely not targeted but was simply collateral damage from Camaro Dragon’s self-propagating malware infections spreading via USB drives. Camaro Dragon is a Chinese-based espionage threat actor whose operations are actively focused on […]
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Sideloading Of ShellChromeAPI.DLL
- Microsoft Office DLL Sideload
- Potential 7za.DLL Sideloading
- Potential AVKkid.DLL Sideloading