Potential DLL Sideloading Via DeviceEnroller.EXE
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via DeviceEnroller.EXE
2id: e173ad47-4388-4012-ae62-bd13f71c18a8
3related:
4 - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
5 type: similar
6status: test
7description: |
8 Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
9 Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
10references:
11 - https://mobile.twitter.com/0gtweet/status/1564131230941122561
12 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
13author: '@gott_cyber'
14date: 2022-08-29
15modified: 2023-02-04
16tags:
17 - attack.defense-evasion
18 - attack.t1574.002
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\deviceenroller.exe'
25 - OriginalFileName: 'deviceenroller.exe'
26 selection_cli:
27 CommandLine|contains: '/PhoneDeepLink'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- APT27 - Emissary Panda Activity
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL