From 2a6c27b7b5f9f6bbf9ffd05e9e7a67d4e9ca09e8 Mon Sep 17 00:00:00 2001
From: Gott <47673777+danielgottt@users.noreply.github.com>
Date: Mon, 29 Aug 2022 11:35:54 -0400
Subject: [PATCH] Create proc_creation_win_deviceenroller_evasion.yml

---
 ...oc_creation_win_deviceenroller_evasion.yml | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml

diff --git a/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml b/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml
new file mode 100644
index 000000000..dbe06719f
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml
@@ -0,0 +1,26 @@
+title: DLL Sideloading via DeviceEnroller.exe
+id: e173ad47-4388-4012-ae62-bd13f71c18a8
+description: Recent research discovered that DeviceEnroller.exe will load the DLL ShellChromeAPI.dll which does not exist
+references:
+  - https://mobile.twitter.com/0gtweet/status/1564131230941122561
+  - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
+status: experimental
+author: '@gott_cyber'
+date: 2022/08/29
+tags:
+  - attack.defense.evasion
+  - attack.t1574.002
+logsource:
+  category: process_creation
+  product: windows
+detection:
+    selection:
+        ParentImage|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+        Image|endswith: '\deviceenroller.exe'
+        CommandLine|re: '(/PhoneDeepLink|/phonedeeplink)'
+    condition: selection 
+falsepositives:
+    - unknown
+level: medium