T1546.009 AppCert DLLs Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AppCertReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend DllPath = RegistryValueData
| extend IsSystemDll = RegistryValueData has_any (
    "C:\\Windows\\system32\\",
    "C:\\Windows\\SysWOW64\\"
  )
| project RegTime=Timestamp, DeviceName, AccountName, RegistryKey,
         RegistryValueName, DllPath, IsSystemDll,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
let AppCertDllLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FolderPath !has_any ("system32", "SysWOW64", "Program Files", "Program Files (x86)")
| join kind=inner (
    DeviceRegistryEvents
    | where RegistryKey has "AppCertDlls"
    | distinct RegistryValueData
  ) on $left.FileName == $right.RegistryValueData
| project LoadTime=Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName;
union (AppCertReg | extend EventType="REGISTRATION"),
      (AppCertDllLoad | extend EventType="DLL_LOADED", RegistryKey="", RegistryValueName="")
| sort by RegTime desc, LoadTime desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Module: Module Load Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceImageLoadEvents

False Positives

Digital rights management (DRM) or software licensing tools that use AppCertDLLs to inject into processes for license validation
Enterprise endpoint management agents that use AppCertDLLs for process monitoring across all applications
Anticheat software for games that injects monitoring DLLs via AppCertDLLs mechanism
Legacy application compatibility shims that use AppCertDLLs to apply compatibility fixes to processes

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval IsAppCertReg=if(
    (EventCode=12 OR EventCode=13)
    AND match(TargetObject, "Session Manager\\\\AppCertDlls"),
    1, 0
  )
| eval IsDllLoad=if(
    EventCode=7
    AND match(lower(ImageLoaded), "appcert")
    AND NOT match(ImageLoaded, "(?i)(system32|syswow64)"),
    1, 0
  )
| where IsAppCertReg=1 OR IsDllLoad=1
| eval DetectionType=case(
    IsAppCertReg=1 AND NOT match(Details, "(?i)(system32|syswow64)"), "APPCERT_SUSPICIOUS_DLL",
    IsAppCertReg=1, "APPCERT_DLL_REGISTERED",
    IsDllLoad=1, "APPCERT_DLL_LOADED",
    1=1, "UNKNOWN"
  )
| table _time, host, User, EventCode, DetectionType, TargetObject, Details, Image, ImageLoaded
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Module: Module Load Sysmon Event IDs 7, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

DRM/licensing tools using AppCertDLLs for license validation
Enterprise endpoint management agents using process monitoring injection
Anticheat software injecting via AppCertDLLs
Legacy application compatibility shims

Elastic Security (EQL)

eql

any where
  (
    event.category == "registry" and
    registry.path : "*\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls*" and
    event.type in ("creation", "change") and
    not registry.data.strings : ("?:\\Windows\\system32\\*", "?:\\Windows\\SysWOW64\\*")
  ) or
  (
    event.category == "library" and
    dll.name != null and
    not dll.path : (
      "?:\\Windows\\System32\\*",
      "?:\\Windows\\SysWOW64\\*",
      "?:\\Program Files\\*",
      "?:\\Program Files (x86)\\*",
      "?:\\Windows\\WinSxS\\*"
    ) and
    process.pid != null
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.registry, endpoint.events.library) Winlogbeat with Sysmon (winlogbeat-*)

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.library-* winlogbeat-*

False Positives

Legitimate endpoint security or EDR agents that self-register DLLs in AppCertDlls from vendor-specific install paths outside system32 for process telemetry collection
Application compatibility toolkit shims or Microsoft's ACT (Application Compatibility Toolkit) deploying shim DLLs in non-standard directories for legacy application support
Enterprise software management or DLP agents installed in custom directories that use AppCertDlls hooks to monitor process creation across all user sessions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS source_ip,
  username,
  "EventID" AS event_id,
  CASE
    WHEN "EventID" IN ('12', '13', '14') THEN 'APPCERT_DLL_REGISTERED'
    WHEN "EventID" = '7' THEN 'APPCERT_DLL_LOADED'
    ELSE 'UNKNOWN'
  END AS detection_type,
  "TargetObject" AS registry_key,
  "Details" AS registry_value_data,
  "Image" AS writing_process,
  "ImageLoaded" AS loaded_dll_path
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND (
    (
      "EventID" IN ('12', '13', '14')
      AND LOWER("TargetObject") LIKE '%session manager\\appcertdlls%'
    )
    OR (
      "EventID" = '7'
      AND LOWER("ImageLoaded") LIKE '%appcert%'
      AND LOWER("ImageLoaded") NOT LIKE '%\\system32\\%'
      AND LOWER("ImageLoaded") NOT LIKE '%\\syswow64\\%'
    )
  )
  AND starttime > DATEADD('day', -1, NOW())
ORDER BY starttime DESC
LIMIT 1000

high severity high confidence

Data Sources

Microsoft Windows Sysmon DSM for QRadar Microsoft Windows Security Event Log DSM

Required Tables

events (QRadar normalized event store)

False Positives

Security vendors or monitoring solutions that register process-inspection DLLs in AppCertDlls from non-default installation directories on managed endpoints
Application virtualization or containerization products (e.g., ThinApp, Cameyo) that inject compatibility DLLs via AppCert hooks from their own install paths
Development workstations where developers are testing AppCert-aware software and register test DLLs in non-standard locations during the development lifecycle

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog* OR _sourceCategory=*winlogbeat*)
| where EventCode in ("12", "13", "14", "7")
| where (
    (EventCode in ("12", "13", "14")
      and TargetObject matches "*Session Manager*AppCertDlls*")
    or
    (EventCode = "7"
      and toLowerCase(ImageLoaded) matches "*appcert*"
      and not (toLowerCase(ImageLoaded) matches "*\\system32\\*"
               or toLowerCase(ImageLoaded) matches "*\\syswow64\\*"))
  )
| eval DetectionType = if(EventCode in ("12", "13", "14"), "APPCERT_DLL_REGISTERED", "APPCERT_DLL_LOADED")
| eval IsSuspiciousPath = if(
    EventCode in ("12", "13", "14")
      and not (toLowerCase(Details) matches "*\\windows\\system32\\*"
               or toLowerCase(Details) matches "*\\windows\\syswow64\\*"),
    "true", "false"
  )
| fields _messageTime, Computer, User, EventCode, DetectionType, IsSuspiciousPath, TargetObject, Details, Image, ImageLoaded
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon logs via Sumo Logic Installed Collector Winlogbeat forwarding Sysmon events to Sumo Logic HTTP Source

Required Tables

Sumo Logic source categories containing Sysmon or Windows Event Log data

False Positives

Endpoint detection and response (EDR) agents that self-register non-system DLLs in AppCertDlls for behavioral monitoring of process creation chains
Legacy application compatibility wrappers or shim databases installed by enterprise IT in non-standard paths to support line-of-business applications on modern Windows
Privileged Access Management (PAM) or session recording software that hooks process creation via AppCertDlls from a vendor installation directory outside Program Files

Google Chronicle / SecOps

yaral

rule appcert_dll_persistence_t1546_009 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects AppCert DLL persistence and privilege escalation via registry modification of AppCertDlls key with non-system DLL paths, or suspicious DLL module loads from non-standard directories triggered by the AppCert mechanism"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1546.009"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1546/009/"

  events:
    (
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($e.target.registry.registry_key,
        `(?i)\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls`) and
      not re.regex($e.target.registry.registry_value_data,
        `(?i)^C:\\Windows\\(system32|SysWOW64|WinSxS)\\`)
    ) or
    (
      $e.metadata.event_type = "PROCESS_MODULE_LOAD" and
      re.regex($e.target.file.full_path, `(?i)appcert`) and
      not re.regex($e.target.file.full_path,
        `(?i)C:\\Windows\\(system32|SysWOW64|WinSxS)\\`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows telemetry ingested into Chronicle UDM (Sysmon, Microsoft Defender for Endpoint, Crowdstrike Falcon) Chronicle SIEM with Windows endpoint data mapped to UDM

Required Tables

UDM events with event_type REGISTRY_MODIFICATION UDM events with event_type PROCESS_MODULE_LOAD

False Positives

Security monitoring solutions from vendors who register inspection DLLs outside system32 in AppCertDlls for kernel-level process monitoring capabilities
Microsoft Application Compatibility Toolkit (ACT) or third-party app-compat shim tooling that writes non-system DLL paths to AppCertDlls as part of shim database deployment
Enterprise DLP or insider-threat monitoring agents installed in custom directories that hook process creation via AppCertDlls to inspect all spawned processes

CrowdStrike LogScale (CQL)

cql

// Phase 1: Registry write to AppCertDlls (persistence establishment)
(#event_simpleName=RegOperationValue OR #event_simpleName=AsepValueUpdate)
| TargetObjectName = /(?i)\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls/
| eval SuspiciousPath = if(
    RegStringValue != /(?i)(C:\\Windows\\(system32|SysWOW64|WinSxS)\\)/,
    "SUSPICIOUS_NON_SYSTEM_DLL",
    "SYSTEM_PATH_OK"
  )
| table([@timestamp, ComputerName, UserName, TargetObjectName, RegStringValue, SuspiciousPath, ProcessImageFileName, CommandLine])

// Phase 2: Suspicious DLL module load (runtime execution) — run as separate query
// Uncomment and run independently or union via Falcon Fusion
// #event_simpleName=ModuleLoadV3
// | FilePath = /(?i)appcert/
// | FilePath != /(?i)(\\Windows\\system32\\|\\Windows\\SysWOW64\\|\\Windows\\WinSxS\\|\\Program Files\\)/
// | groupBy([ComputerName, UserName, FilePath, FileName, ProcessImageFileName, TargetProcessId], function=count(as=LoadCount))
// | sort(LoadCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Activity Monitoring Falcon Platform: RegOperationValue, AsepValueUpdate, ModuleLoadV3 event streams

Required Tables

RegOperationValue AsepValueUpdate ModuleLoadV3

False Positives

CrowdStrike Falcon sensor itself or competing EDR products that register monitoring DLLs in AppCertDlls from their agent install directory rather than system32
Application compatibility or virtual desktop infrastructure (VDI) agents that use AppCertDlls to intercept CreateProcess calls for session management from custom install paths
Security assessment or red team tooling running in authorized penetration testing engagements where AppCert DLL persistence is being tested against production-equivalent environments

AppCert DLLs

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections