New DLL Added to AppInit_DLLs Registry Key
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
Sigma rule (View on GitHub)
1title: New DLL Added to AppInit_DLLs Registry Key
2id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
3status: test
4description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
5references:
6 - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
7author: Ilyas Ochkov, oscd.community, Tim Shelton
8date: 2019-10-25
9modified: 2022-12-25
10tags:
11 - attack.persistence
12 - attack.t1546.010
13logsource:
14 category: registry_event
15 product: windows
16detection:
17 selection:
18 - TargetObject|endswith:
19 - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
20 - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
21 # Key Rename
22 - NewName|endswith:
23 - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
24 - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
25 filter:
26 Details: '(Empty)'
27 condition: selection and not filter
28falsepositives:
29 - Unknown
30level: medium
References
Related rules
- AppInit DLL Installation
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted