Potential DLL Sideloading Via DeviceEnroller.EXE
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via DeviceEnroller.EXE
2id: e173ad47-4388-4012-ae62-bd13f71c18a8
3related:
4 - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
5 type: similar
6status: test
7description: |
8 Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
9 Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
10references:
11 - https://mobile.twitter.com/0gtweet/status/1564131230941122561
12 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
13author: '@gott_cyber'
14date: 2022-08-29
15modified: 2023-02-04
16tags:
17 - attack.privilege-escalation
18 - attack.persistence
19 - attack.defense-evasion
20 - attack.t1574.001
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_img:
26 - Image|endswith: '\deviceenroller.exe'
27 - OriginalFileName: 'deviceenroller.exe'
28 selection_cli:
29 CommandLine|contains: '/PhoneDeepLink'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL