Detect AppCert DLLs in Splunk
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKLM\System\CurrentControlSet\Control\Session Manager are loaded into every process that calls the commonly used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. This provides adversaries a way to have code execute in the security context of every process on the system, including processes with high privilege levels.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.009 AppCert DLLs
- Canonical reference
- https://attack.mitre.org/techniques/T1546/009/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval IsAppCertReg=if(
(EventCode=12 OR EventCode=13)
AND match(TargetObject, "Session Manager\\\\AppCertDlls"),
1, 0
)
| eval IsDllLoad=if(
EventCode=7
AND match(lower(ImageLoaded), "appcert")
AND NOT match(ImageLoaded, "(?i)(system32|syswow64)"),
1, 0
)
| where IsAppCertReg=1 OR IsDllLoad=1
| eval DetectionType=case(
IsAppCertReg=1 AND NOT match(Details, "(?i)(system32|syswow64)"), "APPCERT_SUSPICIOUS_DLL",
IsAppCertReg=1, "APPCERT_DLL_REGISTERED",
IsDllLoad=1, "APPCERT_DLL_LOADED",
1=1, "UNKNOWN"
)
| table _time, host, User, EventCode, DetectionType, TargetObject, Details, Image, ImageLoaded
| sort - _timeDetects AppCert DLL registration and loading using Sysmon Registry events and DLL load events. Event ID 12/13 for AppCertDlls registry key modifications, and Event ID 7 for DLL load events involving AppCert-related files. Distinguishes between DLLs registered from system paths (lower risk) versus user-writable paths (high risk). The AppCertDlls key should almost never change in a healthy environment — any modification warrants investigation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- DRM/licensing tools using AppCertDLLs for license validation
- Enterprise endpoint management agents using process monitoring injection
- Anticheat software injecting via AppCertDLLs
- Legacy application compatibility shims
Other platforms for T1546.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register DLL in AppCertDlls Registry Key
Expected signal: Sysmon Event ID 13: TargetObject=HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls\ArgusTestDll, Details=C:\Users\Public\argus_appcert_test.dll. Security Event ID 4657 if registry auditing enabled.
- Test 2Query Existing AppCertDlls Registrations
Expected signal: Process creation for reg.exe with query arguments for the AppCertDlls key. Registry access events if object access auditing is enabled. The output reveals all currently registered DLLs.
- Test 3Create and Register AppCert DLL for Process Injection
Expected signal: File creation event for argus_appcert.dll in Public folder. Sysmon Event ID 13 for AppCertDlls registry key modification. Subsequently, Sysmon Event ID 7 records showing the DLL loaded by various processes that call CreateProcess (e.g., cmd.exe spawning children).
References (4)
- https://attack.mitre.org/techniques/T1546/009/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-windows
- https://pentestlab.blog/2019/12/16/persistence-appcert-dlls/
Unlock Pro Content
Get the full detection package for T1546.009 including response playbook, investigation guide, and atomic red team tests.