sigmaDRL-1.1from SigmaHQ/sigma
Potential DLL Sideloading Via DeviceEnroller.EXE
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Quality
82
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml
title: Potential DLL Sideloading Via DeviceEnroller.EXE
id: e173ad47-4388-4012-ae62-bd13f71c18a8
related:
- id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
type: similar
status: test
description: |
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
- https://mobile.twitter.com/0gtweet/status/1564131230941122561
- https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: '@gott_cyber'
date: 2022-08-29
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\deviceenroller.exe'
- OriginalFileName: 'deviceenroller.exe'
selection_cli:
CommandLine|contains: '/PhoneDeepLink'
condition: all of selection_*
falsepositives:
- Unknown
level: medium