Detect AppCert DLLs in Elastic Security
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKLM\System\CurrentControlSet\Control\Session Manager are loaded into every process that calls the commonly used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. This provides adversaries a way to have code execute in the security context of every process on the system, including processes with high privilege levels.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.009 AppCert DLLs
- Canonical reference
- https://attack.mitre.org/techniques/T1546/009/
Elastic Detection Query
any where
(
event.category == "registry" and
registry.path : "*\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls*" and
event.type in ("creation", "change") and
not registry.data.strings : ("?:\\Windows\\system32\\*", "?:\\Windows\\SysWOW64\\*")
) or
(
event.category == "library" and
dll.name != null and
not dll.path : (
"?:\\Windows\\System32\\*",
"?:\\Windows\\SysWOW64\\*",
"?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\Windows\\WinSxS\\*"
) and
process.pid != null
)Detects AppCert DLL persistence (T1546.009) by monitoring registry key modifications under HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls for non-system DLL paths (registry creation/change events), and suspicious DLL loads by any process from non-standard directories that may have been planted via the AppCert mechanism. Covers both the registration phase and the runtime load phase.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate endpoint security or EDR agents that self-register DLLs in AppCertDlls from vendor-specific install paths outside system32 for process telemetry collection
- Application compatibility toolkit shims or Microsoft's ACT (Application Compatibility Toolkit) deploying shim DLLs in non-standard directories for legacy application support
- Enterprise software management or DLP agents installed in custom directories that use AppCertDlls hooks to monitor process creation across all user sessions
Other platforms for T1546.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register DLL in AppCertDlls Registry Key
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls\ArgusTestDll, Details=C:\Users\Public\argus_appcert_test.dll. Security Event ID 4657 if registry auditing enabled.
- Test 2Query Existing AppCertDlls Registrations
Expected signal: Process creation for reg.exe with query arguments for the AppCertDlls key. Registry access events if object access auditing is enabled. The output reveals all currently registered DLLs.
- Test 3Create and Register AppCert DLL for Process Injection
Expected signal: File creation event for argus_appcert.dll in Public folder. Sysmon Event ID 13 for AppCertDlls registry key modification. Subsequently, Sysmon Event ID 7 records showing the DLL loaded by various processes that call CreateProcess (e.g., cmd.exe spawning children).
References (4)
- https://attack.mitre.org/techniques/T1546/009/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-windows
- https://pentestlab.blog/2019/12/16/persistence-appcert-dlls/
Unlock Pro Content
Get the full detection package for T1546.009 including response playbook, investigation guide, and atomic red team tests.