DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Sigma rule (View on GitHub)
1title: DLL Sideloading Of ShellChromeAPI.DLL
2id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
3related:
4 - id: e173ad47-4388-4012-ae62-bd13f71c18a8
5 type: similar
6status: test
7description: |
8 Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
9 Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
10references:
11 - https://mobile.twitter.com/0gtweet/status/1564131230941122561
12 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-12-01
15tags:
16 - attack.defense-evasion
17 - attack.persistence
18 - attack.privilege-escalation
19 - attack.t1574.001
20logsource:
21 category: image_load
22 product: windows
23detection:
24 selection:
25 # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
26 ImageLoaded|endswith: '\ShellChromeAPI.dll'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload
- Potential 7za.DLL Sideloading