Skip to content

DET0557 Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows)

Item Value
ID DET0557
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1546.010 (AppInit DLLs)

Analytics

Windows

AN1536

Registry key modification to AppInit_DLLs value followed by anomalous DLL loading by processes importing user32.dll, especially unsigned or uncommon DLLs, suggesting unauthorized AppInit persistence or privilege escalation.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Mutable Elements
Field Description
ImagePathWhitelist Paths or filenames of known-good DLLs to exclude from alerting
UserContext Context of the user modifying the registry key (e.g., admin vs standard user)
TimeWindow Temporal threshold for correlating registry modification and DLL load
DLLSignatureStatus Filter or flag unsigned or suspiciously signed DLLs