Potential DLL Sideloading Via DeviceEnroller.EXE
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via DeviceEnroller.EXE
2id: e173ad47-4388-4012-ae62-bd13f71c18a8
3related:
4 - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
5 type: similar
6status: test
7description: |
8 Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
9 Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
10references:
11 - https://mobile.twitter.com/0gtweet/status/1564131230941122561
12 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
13author: '@gott_cyber'
14date: 2022/08/29
15modified: 2023/02/04
16tags:
17 - attack.defense_evasion
18 - attack.t1574.002
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\deviceenroller.exe'
25 - OriginalFileName: 'deviceenroller.exe'
26 selection_cli:
27 CommandLine|contains: '/PhoneDeepLink'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- Renamed Vmnat.exe Execution
- Lazarus APT DLL Sideloading Activity
- Suspicious Unsigned Thor Scanner Execution
- Diamond Sleet APT DLL Sideloading Indicators
- Potential Azure Browser SSO Abuse