Skip to content

Hide Navigation Hide TOC

DLL Sideloading Of ShellChromeAPI.DLL (ee4c5d06-3abc-48cc-8885-77f1c20f4451)

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Cluster A Galaxy A Cluster B Galaxy B Level
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern DLL Sideloading Of ShellChromeAPI.DLL (ee4c5d06-3abc-48cc-8885-77f1c20f4451) Sigma-Rules 1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2