DET0362 Detection Strategy for AppCert DLLs Persistence via Registry Injection

Item	Value
ID	DET0362
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.009 (AppCert DLLs)

Analytics

Windows

AN1029

Detection of AppCert DLL abuse involves correlating registry modifications to the AppCertDLLs key with subsequent unexpected DLL load behavior during process creation events. Specifically, defenders can observe abnormal DLLs being loaded into standard Windows processes after changes to the ‘AppCertDLLs’ registry value. Monitoring CreateProcess-family API executions with injected DLLs and linking those DLLs back to recent registry edits is key to identifying misuse. This is often accompanied by elevated privileges and potential lateral movement or discovery behavior.

Log Sources

Data Component	Name	Channel
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
TargetObject	Registry path for AppCertDLLs may vary by control set or group policy context
ImageLoaded	Loaded DLLs may differ by malware family or environment
ParentImage	Parent processes to monitor for DLL injection can be tuned to exclude known-good cases
TimeWindow	Time correlation between registry modification and DLL load events may vary