Registry Persistence via AppCert DLL
Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every
13process using the common API functions to create processes.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Registry Persistence via AppCert DLL"
20risk_score = 47
21rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7"
22setup = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "medium"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36registry where host.os.type == "windows" and event.type == "change" and
37 registry.path : (
38 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
39 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
40 "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*"
41 )
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1546"
49name = "Event Triggered Execution"
50reference = "https://attack.mitre.org/techniques/T1546/"
51[[rule.threat.technique.subtechnique]]
52id = "T1546.009"
53name = "AppCert DLLs"
54reference = "https://attack.mitre.org/techniques/T1546/009/"
55
56
57
58[rule.threat.tactic]
59id = "TA0003"
60name = "Persistence"
61reference = "https://attack.mitre.org/tactics/TA0003/"
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1546"
67name = "Event Triggered Execution"
68reference = "https://attack.mitre.org/techniques/T1546/"
69[[rule.threat.technique.subtechnique]]
70id = "T1546.009"
71name = "AppCert DLLs"
72reference = "https://attack.mitre.org/techniques/T1546/009/"
73
74
75
76[rule.threat.tactic]
77id = "TA0004"
78name = "Privilege Escalation"
79reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Creation or Modification of a new GPO Scheduled Task or Service
- Persistence via PowerShell profile
- Persistence via TelemetryController Scheduled Task Hijack
- Potential Persistence via Time Provider Modification
- Suspicious WerFault Child Process