New DLL Added to AppCertDlls Registry Key
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
Sigma rule (View on GitHub)
1title: New DLL Added to AppCertDlls Registry Key
2id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
3status: test
4description: |
5 Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
6 by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
7references:
8 - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
9 - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
10author: Ilyas Ochkov, oscd.community
11date: 2019-10-25
12modified: 2021-11-27
13tags:
14 - attack.privilege-escalation
15 - attack.persistence
16 - attack.t1546.009
17logsource:
18 category: registry_event
19 product: windows
20detection:
21 selection:
22 # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
23 - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
24 # key rename
25 - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
26 condition: selection
27fields:
28 - EventID
29 - Image
30 - TargetObject
31 - NewName
32falsepositives:
33 - Unknown
34level: medium
References
-
Possible Autostart/start mechanisms that are built-in ‘natively’ in Windows and also available by means of extra features offered by many applications go beyond typical path locations and registry ...
Read More -
Related rules
- Session Manager Autorun Keys Modification
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted