Registry Persistence via AppCert DLL

calendarMar 6, 2023  ·
Share on: linkedincopy

Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every
13process using the common API functions to create processes.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Registry Persistence via AppCert DLL"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24risk_score = 47
25rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7"
26severity = "medium"
27tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32registry where host.os.type == "windows" and
33/* uncomment once stable length(bytes_written_string) > 0 and */
34  registry.path : (
35    "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
36    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*"
37  )
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1546"
45name = "Event Triggered Execution"
46reference = "https://attack.mitre.org/techniques/T1546/"
47[[rule.threat.technique.subtechnique]]
48id = "T1546.009"
49name = "AppCert DLLs"
50reference = "https://attack.mitre.org/techniques/T1546/009/"
51
52
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top