Registry Persistence via AppCert DLL
Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every
13process using the common API functions to create processes.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Registry Persistence via AppCert DLL"
20risk_score = 47
21rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7"
22setup = """
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "medium"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36registry where host.os.type == "windows" and
37/* uncomment once stable length(bytes_written_string) > 0 and */
38 registry.path : (
39 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*",
40 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*"
41 )
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1546"
49name = "Event Triggered Execution"
50reference = "https://attack.mitre.org/techniques/T1546/"
51[[rule.threat.technique.subtechnique]]
52id = "T1546.009"
53name = "AppCert DLLs"
54reference = "https://attack.mitre.org/techniques/T1546/009/"
55
56
57
58[rule.threat.tactic]
59id = "TA0003"
60name = "Persistence"
61reference = "https://attack.mitre.org/tactics/TA0003/"
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1546"
67name = "Event Triggered Execution"
68reference = "https://attack.mitre.org/techniques/T1546/"
69[[rule.threat.technique.subtechnique]]
70id = "T1546.009"
71name = "AppCert DLLs"
72reference = "https://attack.mitre.org/techniques/T1546/009/"
73
74
75
76[rule.threat.tactic]
77id = "TA0004"
78name = "Privilege Escalation"
79reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Component Object Model Hijacking
- Creation or Modification of a new GPO Scheduled Task or Service
- Persistence via TelemetryController Scheduled Task Hijack
- Persistence via Update Orchestrator Service Hijack
- Suspicious DLL Loaded for Persistence or Privilege Escalation