T1546.009 AppCert DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. 1
Similar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.
| Item | Value |
|---|---|
| ID | T1546.009 |
| Sub-techniques | T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015, T1546.016 |
| Tactics | TA0004, TA0003 |
| Platforms | Windows |
| Permissions required | Administrator, SYSTEM |
| Version | 1.0 |
| Created | 24 January 2020 |
| Last Modified | 10 November 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0196 | PUNCHBUGGY | PUNCHBUGGY can establish using a AppCertDLLs Registry key.10 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention | Adversaries install new AppCertDLL binaries to execute this technique. Identify and block potentially malicious software executed through AppCertDLLs functionality by using application control 4 tools, like Windows Defender Application Control5, AppLocker, 6 7 or Software Restriction Policies 8 where appropriate. 9 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0011 | Module | Module Load |
| DS0009 | Process | OS API Execution |
| DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. ↩
-
Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. ↩
-
Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. Retrieved December 18, 2017. ↩
-
Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014. ↩
-
Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019. ↩
-
Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. ↩
-
NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016. ↩
-
Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014. ↩
-
Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016. ↩
-
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. ↩