The hypothesis is that an adversary is attempting to sideload the EACore.DLL file to execute malicious code in the context of a legitimate process, leveraging the Windows DLL search order vulnerability. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential privilege escalation or persistence mechanisms used by advanced threats.
Detection Rule
title: Potential EACore.DLL Sideloading
id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
status: test
description: Detects potential DLL sideloading of "EACore.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\EACore.dll'
filter_main_legit_path:
Image|contains|all:
- 'C:\Program Files\Electronic Arts\EA Desktop\'
- '\EACoreServer.exe'
ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
DeviceImageLoadEvents
| where FolderPath endswith "\\EACore.dll" and (not(((InitiatingProcessFolderPath contains "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and InitiatingProcessFolderPath contains "\\EACoreServer.exe") and FolderPath startswith "C:\\Program Files\\Electronic Arts\\EA Desktop\\")))Scenario: System update or patching using Microsoft’s Update.exe or wuauclt.exe
Filter/Exclusion: Check the process parent or command line for Update.exe or wuauclt.exe and exclude any activity related to Windows Update.
Scenario: Scheduled job running a legitimate script or tool that loads EACore.DLL from a known trusted path
Filter/Exclusion: Exclude processes launched by schtasks.exe or Task Scheduler that are associated with known legitimate scripts or tools (e.g., PowerShell.exe with a trusted script path).
Scenario: Admin task using msiexec.exe to install a legitimate application that includes EACore.DLL
Filter/Exclusion: Exclude processes initiated by msiexec.exe with a known legitimate MSI package or vendor.
Scenario: Security software or endpoint protection tool loading EACore.DLL as part of its runtime
Filter/Exclusion: Exclude processes from known security vendors (e.g., Microsoft Defender Antivirus, Bitdefender, Kaspersky) that may load EACore.DLL as part of their operation.
Scenario: Custom application or service using EACore.DLL from a local trusted directory (e.g., C:\Program Files\)
Filter/Exclusion: Exclude processes running from known trusted directories and with known legitimate applications that use EACore.DLL as part of their functionality.