This detection rule identifies potential DLL sideloading attempts through the use of the DeviceEnroller.exe process by analyzing its invocation parameters. Specifically, it targets cases where the PhoneDeepLink parameter is used to reference a non-existent DLL file named \"ShellChromeAPI.dll\". Cyber adversaries can exploit this by dropping a malicious DLL file, renamed to the target DLL name, and executing this through DeviceEnroller. The detection relies on monitoring the process creation events and checking for specific command-line arguments that might indicate an attempt to sideload a DLL. The rule also correlates image paths and original filenames associated with DeviceEnroller.exe, ensuring that detection is thorough and minimizes false negatives in the context of potential evasion tactics employed by attackers.