DLL Sideloading Of ShellChromeAPI.DLL

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Sigma rule (View on GitHub)

 1title: DLL Sideloading Of ShellChromeAPI.DLL
 2id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
 3related:
 4    - id: e173ad47-4388-4012-ae62-bd13f71c18a8
 5      type: similar
 6status: test
 7description: |
 8    Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
 9    Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter    
10references:
11    - https://mobile.twitter.com/0gtweet/status/1564131230941122561
12    - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-12-01
15tags:
16    - attack.defense-evasion
17    - attack.persistence
18    - attack.privilege-escalation
19    - attack.t1574.001
20logsource:
21    category: image_load
22    product: windows
23detection:
24    selection:
25        # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
26        ImageLoaded|endswith: '\ShellChromeAPI.dll'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top