New DLL Added to AppInit_DLLs Registry Key
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
Sigma rule (View on GitHub)
1title: New DLL Added to AppInit_DLLs Registry Key
2id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
3status: test
4description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
5references:
6 - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
7author: Ilyas Ochkov, oscd.community, Tim Shelton
8date: 2019-10-25
9modified: 2022-12-25
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1546.010
14logsource:
15 category: registry_event
16 product: windows
17detection:
18 selection:
19 - TargetObject|endswith:
20 - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
21 - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
22 # Key Rename
23 - NewName|endswith:
24 - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
25 - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
26 filter:
27 Details: '(Empty)'
28 condition: selection and not filter
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- APT27 - Emissary Panda Activity