DLL Sideloading Of ShellChromeAPI.DLL

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Sigma rule (View on GitHub)

 1title: DLL Sideloading Of ShellChromeAPI.DLL
 2id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
 3related:
 4    - id: e173ad47-4388-4012-ae62-bd13f71c18a8
 5      type: similar
 6status: test
 7description: |
 8    Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
 9    Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter    
10references:
11    - https://mobile.twitter.com/0gtweet/status/1564131230941122561
12    - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022/12/01
15tags:
16    - attack.defense_evasion
17    - attack.persistence
18    - attack.privilege_escalation
19    - attack.t1574.001
20    - attack.t1574.002
21logsource:
22    category: image_load
23    product: windows
24detection:
25    selection:
26        # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
27        ImageLoaded|endswith: '\ShellChromeAPI.dll'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top