New DLL Added to AppCertDlls Registry Key
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
Sigma rule (View on GitHub)
1title: New DLL Added to AppCertDlls Registry Key
2id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
3status: test
4description: |
5 Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
6 by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
7references:
8 - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
9 - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
10author: Ilyas Ochkov, oscd.community
11date: 2019-10-25
12modified: 2021-11-27
13tags:
14 - attack.persistence
15 - attack.t1546.009
16logsource:
17 category: registry_event
18 product: windows
19detection:
20 selection:
21 # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
22 - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
23 # key rename
24 - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
25 condition: selection
26fields:
27 - EventID
28 - Image
29 - TargetObject
30 - NewName
31falsepositives:
32 - Unknown
33level: medium
References
Related rules
- Session Manager Autorun Keys Modification
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted