New DLL Added to AppInit_DLLs Registry Key

Oct 18, 2023 · attack.persistence attack.t1546.010 ·

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

Sigma rule (View on GitHub)

 1title: New DLL Added to AppInit_DLLs Registry Key
 2id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
 3status: test
 4description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
 5references:
 6    - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
 7author: Ilyas Ochkov, oscd.community, Tim Shelton
 8date: 2019/10/25
 9modified: 2022/12/25
10tags:
11    - attack.persistence
12    - attack.t1546.010
13logsource:
14    category: registry_event
15    product: windows
16detection:
17    selection:
18        - TargetObject|endswith:
19              - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
20              - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
21        # Key Rename
22        - NewName|endswith:
23              - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
24              - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
25    filter:
26        Details: '(Empty)'
27    condition: selection and not filter
28falsepositives:
29    - Unknown
30level: medium

New DLL Added to AppInit_DLLs Registry Key

Sigma rule (View on GitHub)

References

Persistence via AppInit DLL — EQL Analytics Library documentation

Related rules