T1546.010 AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs
value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. 1
Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. 2 Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.
The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. 3
Item | Value |
---|---|
ID | T1546.010 |
Sub-techniques | T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015, T1546.016 |
Tactics | TA0004, TA0003 |
Platforms | Windows |
Permissions required | Administrator |
Version | 1.1 |
Created | 24 January 2020 |
Last Modified | 21 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0087 | APT39 | APT39 has used malware to set LoadAppInit_DLLs in the Registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows in order to establish persistence.14 |
S0107 | Cherry Picker | Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows “AppInit_DLLs”=”pserver32.dll” 13 |
S0458 | Ramsay | Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key.11 |
S0098 | T9000 | If a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs – %APPDATA%\Intel\ResN32.dll and HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs – 0x1 .12 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1038 | Execution Prevention | Adversaries can install new AppInit DLLs binaries to execute this technique. Identify and block potentially malicious software executed through AppInit DLLs functionality by using application control 5 tools, like Windows Defender Application Control6, AppLocker, 7 8 or Software Restriction Policies 9 where appropriate. 10 |
M1051 | Update Software | Upgrade to Windows 8 or later and enable secure boot. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0011 | Module | Module Load |
DS0009 | Process | OS API Execution |
DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. ↩
-
Microsoft. (2006, October). Working with the AppInit_DLLs registry value. Retrieved July 15, 2015. ↩
-
Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July 15, 2015. ↩
-
Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. ↩
-
Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014. ↩
-
Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019. ↩
-
Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. ↩
-
NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016. ↩
-
Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014. ↩
-
Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016. ↩
-
Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. ↩
-
Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016. ↩
-
Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016. ↩
-
FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. ↩