Skip to content

Hide Navigation Hide TOC

Potential DLL Sideloading Via DeviceEnroller.EXE (e173ad47-4388-4012-ae62-bd13f71c18a8)

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Cluster A Galaxy A Cluster B Galaxy B Level
Potential DLL Sideloading Via DeviceEnroller.EXE (e173ad47-4388-4012-ae62-bd13f71c18a8) Sigma-Rules DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2