AppInit DLL Installation
One persistence mechanism used by some variations of SmashJacker was an AppInit DLL. It would use a reg.exe command to create appropriate Windows Registry keys for persistence. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: AppInit DLL Installation
2id: 65e7b868-ebe9-4e8a-b828-3bd2181bc407
3status: experimental
4description: |
5 One persistence mechanism used by some variations of SmashJacker was an AppInit DLL.
6 It would use a reg.exe command to create appropriate Windows Registry keys for
7 persistence. Part of the RedCanary 2024 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/threats/smashjacker/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.privilege_escalation
14 - attack.persistence
15 - attack.t1546
16 - attack.t1546.010
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\reg.exe'
23 CommandLine|contains|all:
24 - 'add'
25 - 'AppInit_DLLs'
26 condition: selection
27falsepositives:
28 - Unknown
29level: low```
References
-
Often delivered via Charcoal Stork, SmashJacker is not the most evil browser-hijacker, but it is one of the most widespread.
Read More
Related rules
- Non-Microsoft App Package Installation Process
- Package Support Framework (PSF) Advanced Installer Processes
- Non-depmod Process Modifying modules.dep
- PowerShell Startup Folder Persistence
- Shells Modifying Files in Known Linux Kernel Modules Directories