Description
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)
Similar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.
Platforms
Mitigations (1)
Execution PreventionM1038
Adversaries install new AppCertDLL binaries to execute this technique. Identify and block potentially malicious software executed through AppCertDLLs functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0196 | PUNCHBUGGY | Malware | [PUNCHBUGGY](https://attack.mitre.org/software/S0196) can establish using a AppCertDLLs Registry key.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
References
- Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
- Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. Retrieved November 17, 2024.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
Frequently Asked Questions
What is T1546.009 (AppCert DLLs)?
T1546.009 is a MITRE ATT&CK technique named 'AppCert DLLs'. It belongs to the Privilege Escalation, Persistence tactic(s). Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the...
How can T1546.009 be detected?
Detection of T1546.009 (AppCert DLLs) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1546.009?
There are 1 documented mitigations for T1546.009. Key mitigations include: Execution Prevention.
Which threat groups use T1546.009?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.