← Back to Explore
sigmamediumHunting
Potential DLL Sideloading Via DeviceEnroller.EXE
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Detection Query
selection_img:
- Image|endswith: \deviceenroller.exe
- OriginalFileName: deviceenroller.exe
selection_cli:
CommandLine|contains: /PhoneDeepLink
condition: all of selection_*
Author
@gott_cyber
Created
2022-08-29
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001
Raw Content
title: Potential DLL Sideloading Via DeviceEnroller.EXE
id: e173ad47-4388-4012-ae62-bd13f71c18a8
related:
- id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
type: similar
status: test
description: |
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
- https://mobile.twitter.com/0gtweet/status/1564131230941122561
- https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: '@gott_cyber'
date: 2022-08-29
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\deviceenroller.exe'
- OriginalFileName: 'deviceenroller.exe'
selection_cli:
CommandLine|contains: '/PhoneDeepLink'
condition: all of selection_*
falsepositives:
- Unknown
level: medium