Skip to content

Hide Navigation Hide TOC

Potential DLL Sideloading Via DeviceEnroller.EXE (e173ad47-4388-4012-ae62-bd13f71c18a8)

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Cluster A Galaxy A Cluster B Galaxy B Level
Potential DLL Sideloading Via DeviceEnroller.EXE (e173ad47-4388-4012-ae62-bd13f71c18a8) Sigma-Rules DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 1
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2