Registry Persistence via AppCert DLL

  1[metadata]
  2creation_date = "2020/11/18"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every
 11process using the common API functions to create processes.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.registry-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-m365_defender.event-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Registry Persistence via AppCert DLL"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Registry Persistence via AppCert DLL
 31
 32AppCert DLLs are dynamic link libraries that can be configured to load with every process that uses common API functions to create processes on Windows systems. This feature is intended for legitimate use, such as application compatibility. However, adversaries can exploit this by inserting malicious DLLs into the registry path, ensuring their code executes persistently across system reboots. The detection rule identifies changes to specific registry paths associated with AppCert DLLs, flagging potential unauthorized modifications indicative of persistence or privilege escalation attempts. By monitoring these registry changes, security analysts can detect and respond to such threats effectively.
 33
 34### Possible investigation steps
 35
 36- Review the specific registry path changes identified in the alert to confirm if they match the paths specified in the query: "HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*", "\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*", or "MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*".
 37- Check the timestamp of the registry change event to determine when the modification occurred and correlate it with other system activities or logs around the same time.
 38- Identify the user account or process responsible for the registry modification by examining the event logs or security logs to determine if it was an authorized change or potentially malicious activity.
 39- Investigate the DLL file specified in the registry change for any known malicious signatures or behaviors using threat intelligence sources or antivirus tools.
 40- Analyze the system for any additional indicators of compromise or persistence mechanisms, such as unusual scheduled tasks, startup items, or other registry modifications.
 41- Review historical data to determine if similar registry changes have occurred in the past, which might indicate a recurring threat or persistent adversary activity.
 42
 43### False positive analysis
 44
 45- Legitimate software installations or updates may modify the AppCert DLL registry paths as part of their setup process. Users can handle these by creating exceptions for known and trusted software vendors.
 46- System administrators might intentionally configure AppCert DLLs for application compatibility purposes. To manage this, maintain a list of approved configurations and exclude these from alerts.
 47- Security tools or endpoint protection software might interact with these registry paths during routine scans or updates. Identify and whitelist these tools to prevent unnecessary alerts.
 48- Custom enterprise applications may use AppCert DLLs for legitimate process monitoring or enhancement. Collaborate with application developers to document these cases and exclude them from detection.
 49- Regular system maintenance scripts or group policies might inadvertently trigger changes in these registry paths. Review and adjust these scripts or policies to minimize false positives, or document and exclude them if they are necessary.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
 54- Use endpoint detection and response (EDR) tools to terminate any suspicious processes associated with the malicious AppCert DLLs identified in the registry paths.
 55- Remove the unauthorized AppCert DLL entries from the registry paths: HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\* to eliminate persistence mechanisms.
 56- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any additional malicious files or remnants.
 57- Review and restore any system files or configurations that may have been altered by the malicious DLLs to ensure system integrity.
 58- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 59- Implement enhanced monitoring and logging for the specific registry paths and related process creation activities to detect any future unauthorized changes promptly."""
 60risk_score = 47
 61rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7"
 62setup = """## Setup
 63
 64If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 65events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 66Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 67`event.ingested` to @timestamp.
 68For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 69"""
 70severity = "medium"
 71tags = [
 72    "Domain: Endpoint",
 73    "OS: Windows",
 74    "Use Case: Threat Detection",
 75    "Tactic: Persistence",
 76    "Tactic: Privilege Escalation",
 77    "Data Source: Elastic Endgame",
 78    "Data Source: Elastic Defend",
 79    "Data Source: Sysmon",
 80    "Data Source: SentinelOne",
 81    "Data Source: Microsoft Defender for Endpoint",
 82    "Resources: Investigation Guide",
 83]
 84timestamp_override = "event.ingested"
 85type = "eql"
 86
 87query = '''
 88registry where host.os.type == "windows" and event.type == "change" and
 89  registry.path : (
 90    "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
 91    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
 92    "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*"
 93  )
 94'''
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1546"
101name = "Event Triggered Execution"
102reference = "https://attack.mitre.org/techniques/T1546/"
103[[rule.threat.technique.subtechnique]]
104id = "T1546.009"
105name = "AppCert DLLs"
106reference = "https://attack.mitre.org/techniques/T1546/009/"
107
108
109
110[rule.threat.tactic]
111id = "TA0003"
112name = "Persistence"
113reference = "https://attack.mitre.org/tactics/TA0003/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1546"
118name = "Event Triggered Execution"
119reference = "https://attack.mitre.org/techniques/T1546/"
120[[rule.threat.technique.subtechnique]]
121id = "T1546.009"
122name = "AppCert DLLs"
123reference = "https://attack.mitre.org/techniques/T1546/009/"
124
125
126
127[rule.threat.tactic]
128id = "TA0004"
129name = "Privilege Escalation"
130reference = "https://attack.mitre.org/tactics/TA0004/"