DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Sigma rule (View on GitHub)
1title: DLL Sideloading Of ShellChromeAPI.DLL
2id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
3related:
4 - id: e173ad47-4388-4012-ae62-bd13f71c18a8
5 type: similar
6status: test
7description: |
8 Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
9 Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
10references:
11 - https://mobile.twitter.com/0gtweet/status/1564131230941122561
12 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-12-01
15tags:
16 - attack.defense-evasion
17 - attack.persistence
18 - attack.privilege-escalation
19 - attack.t1574.001
20 - attack.t1574.002
21logsource:
22 category: image_load
23 product: windows
24detection:
25 selection:
26 # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
27 ImageLoaded|endswith: '\ShellChromeAPI.dll'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- Creation Of Non-Existent System DLL
- Microsoft Office DLL Sideload
- Potential 7za.DLL Sideloading
- Potential Antivirus Software DLL Sideloading
- Potential CCleanerDU.DLL Sideloading