Skip to content

Hide Navigation Hide TOC

DLL Sideloading Of ShellChromeAPI.DLL (ee4c5d06-3abc-48cc-8885-77f1c20f4451)

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Cluster A Galaxy A Cluster B Galaxy B Level
DLL Sideloading Of ShellChromeAPI.DLL (ee4c5d06-3abc-48cc-8885-77f1c20f4451) Sigma-Rules DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 1
DLL Sideloading Of ShellChromeAPI.DLL (ee4c5d06-3abc-48cc-8885-77f1c20f4451) Sigma-Rules DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2