Registry Persistence via AppCert DLL

  1[metadata]
  2creation_date = "2020/11/18"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  6min_stack_version = "8.14.0"
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every
 13process using the common API functions to create processes.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Registry Persistence via AppCert DLL"
 20risk_score = 47
 21rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7"
 22setup = """## Setup
 23
 24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 27`event.ingested` to @timestamp.
 28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 29"""
 30severity = "medium"
 31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"]
 32timestamp_override = "event.ingested"
 33type = "eql"
 34
 35query = '''
 36registry where host.os.type == "windows" and event.type == "change" and
 37  registry.path : (
 38    "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
 39    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
 40    "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*"
 41  )
 42'''
 43note = """## Triage and analysis
 44
 45> **Disclaimer**:
 46> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 47
 48### Investigating Registry Persistence via AppCert DLL
 49
 50AppCert DLLs are dynamic link libraries that can be configured to load with every process that uses common API functions to create processes on Windows systems. This feature is intended for legitimate use, such as application compatibility. However, adversaries can exploit this by inserting malicious DLLs into the registry path, ensuring their code executes persistently across system reboots. The detection rule identifies changes to specific registry paths associated with AppCert DLLs, flagging potential unauthorized modifications indicative of persistence or privilege escalation attempts. By monitoring these registry changes, security analysts can detect and respond to such threats effectively.
 51
 52### Possible investigation steps
 53
 54- Review the specific registry path changes identified in the alert to confirm if they match the paths specified in the query: "HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*", "\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*", or "MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*".
 55- Check the timestamp of the registry change event to determine when the modification occurred and correlate it with other system activities or logs around the same time.
 56- Identify the user account or process responsible for the registry modification by examining the event logs or security logs to determine if it was an authorized change or potentially malicious activity.
 57- Investigate the DLL file specified in the registry change for any known malicious signatures or behaviors using threat intelligence sources or antivirus tools.
 58- Analyze the system for any additional indicators of compromise or persistence mechanisms, such as unusual scheduled tasks, startup items, or other registry modifications.
 59- Review historical data to determine if similar registry changes have occurred in the past, which might indicate a recurring threat or persistent adversary activity.
 60
 61### False positive analysis
 62
 63- Legitimate software installations or updates may modify the AppCert DLL registry paths as part of their setup process. Users can handle these by creating exceptions for known and trusted software vendors.
 64- System administrators might intentionally configure AppCert DLLs for application compatibility purposes. To manage this, maintain a list of approved configurations and exclude these from alerts.
 65- Security tools or endpoint protection software might interact with these registry paths during routine scans or updates. Identify and whitelist these tools to prevent unnecessary alerts.
 66- Custom enterprise applications may use AppCert DLLs for legitimate process monitoring or enhancement. Collaborate with application developers to document these cases and exclude them from detection.
 67- Regular system maintenance scripts or group policies might inadvertently trigger changes in these registry paths. Review and adjust these scripts or policies to minimize false positives, or document and exclude them if they are necessary.
 68
 69### Response and remediation
 70
 71- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
 72- Use endpoint detection and response (EDR) tools to terminate any suspicious processes associated with the malicious AppCert DLLs identified in the registry paths.
 73- Remove the unauthorized AppCert DLL entries from the registry paths: HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\* to eliminate persistence mechanisms.
 74- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any additional malicious files or remnants.
 75- Review and restore any system files or configurations that may have been altered by the malicious DLLs to ensure system integrity.
 76- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 77- Implement enhanced monitoring and logging for the specific registry paths and related process creation activities to detect any future unauthorized changes promptly."""
 78
 79
 80[[rule.threat]]
 81framework = "MITRE ATT&CK"
 82[[rule.threat.technique]]
 83id = "T1546"
 84name = "Event Triggered Execution"
 85reference = "https://attack.mitre.org/techniques/T1546/"
 86[[rule.threat.technique.subtechnique]]
 87id = "T1546.009"
 88name = "AppCert DLLs"
 89reference = "https://attack.mitre.org/techniques/T1546/009/"
 90
 91
 92
 93[rule.threat.tactic]
 94id = "TA0003"
 95name = "Persistence"
 96reference = "https://attack.mitre.org/tactics/TA0003/"
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1546"
102name = "Event Triggered Execution"
103reference = "https://attack.mitre.org/techniques/T1546/"
104[[rule.threat.technique.subtechnique]]
105id = "T1546.009"
106name = "AppCert DLLs"
107reference = "https://attack.mitre.org/techniques/T1546/009/"
108
109
110
111[rule.threat.tactic]
112id = "TA0004"
113name = "Privilege Escalation"
114reference = "https://attack.mitre.org/tactics/TA0004/"