T1546.010 AppInit DLLs Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AppInitKeys = dynamic([
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows",
    "SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
  ]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (AppInitKeys)
| where RegistryValueName in~ ("AppInit_DLLs", "LoadAppInit_DLLs", "RequireSignedAppInit_DLLs")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend IsDllLoad = RegistryValueName =~ "LoadAppInit_DLLs"
| extend DllPath = RegistryValueData
| extend RequiresSigned = RegistryValueName =~ "RequireSignedAppInit_DLLs"
| extend SigningDisabled = RequiresSigned and RegistryValueData == "0"
| extend DllEnabled = IsDllLoad and RegistryValueData == "1"
| extend SuspiciousDllPath = RegistryValueName =~ "AppInit_DLLs"
    and RegistryValueData != ""
    and not(RegistryValueData has_any ("C:\\Windows\\system32\\", "C:\\Windows\\SysWOW64\\"))
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
         RegistryValueName, RegistryValueData, SuspiciousDllPath, DllEnabled, SigningDisabled,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| where SuspiciousDllPath or DllEnabled or SigningDisabled
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Legitimate security products (some older AV engines, DLP tools) that use AppInit_DLLs to inject monitoring code into all user processes
Application virtualization platforms that use AppInit_DLLs for application isolation and shim injection
Some older enterprise software that requires system-wide DLL injection for licensing or functionality
Research and debugging tools that explicitly document their use of AppInit_DLLs (rare in production environments)

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval IsAppInitReg=if(
    (EventCode=12 OR EventCode=13)
    AND match(TargetObject, "Windows NT\\\\CurrentVersion\\\\Windows")
    AND match(TargetObject, "(AppInit_DLLs|LoadAppInit_DLLs|RequireSignedAppInit_DLLs)"),
    1, 0
  )
| eval IsEnabling=if(IsAppInitReg=1 AND match(TargetObject, "LoadAppInit") AND Details="1", 1, 0)
| eval IsUnsignedAllowed=if(IsAppInitReg=1 AND match(TargetObject, "RequireSigned") AND Details="0", 1, 0)
| eval IsSuspiciousDll=if(
    IsAppInitReg=1
    AND match(TargetObject, "AppInit_DLLs")
    AND NOT match(Details, "(?i)(system32|syswow64)")
    AND Details!="",
    1, 0
  )
| where IsAppInitReg=1
| eval DetectionType=case(
    IsSuspiciousDll=1, "APPINIT_SUSPICIOUS_DLL_PATH",
    IsEnabling=1, "APPINIT_LOADING_ENABLED",
    IsUnsignedAllowed=1, "APPINIT_SIGNATURE_DISABLED",
    IsAppInitReg=1, "APPINIT_KEY_MODIFIED",
    1=1, "UNKNOWN"
  )
| table _time, host, User, EventCode, DetectionType, TargetObject, Details, Image
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Sysmon Event ID 12 (RegistryEvent - Object Create/Delete) Sysmon Event ID 13 (RegistryEvent - Value Set)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate security products using AppInit_DLLs for monitoring injection
Application virtualization platforms using AppInit for isolation
Older enterprise software requiring system-wide DLL injection
Debugging tools that document AppInit_DLLs usage

Elastic Security (EQL)

eql

registry where
  registry.key : (
    "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows",
    "*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
  ) and
  registry.value.name : ("AppInit_DLLs", "LoadAppInit_DLLs", "RequireSignedAppInit_DLLs") and
  (
    (
      registry.value.name : "AppInit_DLLs" and
      registry.data.strings != null and
      registry.data.strings != "" and
      not registry.data.strings : ("*\\Windows\\system32\\*", "*\\Windows\\SysWOW64\\*")
    ) or
    (
      registry.value.name : "LoadAppInit_DLLs" and
      registry.data.strings : ("1", "0x00000001")
    ) or
    (
      registry.value.name : "RequireSignedAppInit_DLLs" and
      registry.data.strings : ("0", "0x00000000")
    )
  )

high severity high confidence

Data Sources

Windows Registry (Sysmon Event ID 12/13/14) Elastic Endpoint Security Windows Security Event 4657

Required Tables

logs-endpoint.events.registry-* .ds-logs-endpoint.events.registry-*

False Positives

Legacy accessibility software (e.g., older screen readers or assistive technology tools) that legitimately register DLLs via AppInit_DLLs during installation
Endpoint security or DLP products that use AppInit_DLLs as part of their user-mode hooking mechanism — verify vendor-signed DLLs
Software installers or system configuration scripts run by IT administrators during provisioning that temporarily modify AppInit_DLLs values
Virtualization or compatibility shim software that registers helper DLLs in AppInit_DLLs for application compatibility purposes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username AS user_name,
  "hostname" AS host,
  QIDNAME(qid) AS event_name,
  "YARA-L TargetObject" AS registry_path,
  "YARA-L Details" AS registry_value,
  CASE
    WHEN "eventpayload" ILIKE '%AppInit_DLLs%'
         AND "eventpayload" NOT ILIKE '%system32%'
         AND "eventpayload" NOT ILIKE '%SysWOW64%'
         AND "eventpayload" NOT ILIKE 'Details><%'
      THEN 'APPINIT_SUSPICIOUS_DLL_PATH'
    WHEN "eventpayload" ILIKE '%LoadAppInit_DLLs%'
         AND "eventpayload" ILIKE '%Details>1<%'
      THEN 'APPINIT_LOADING_ENABLED'
    WHEN "eventpayload" ILIKE '%RequireSignedAppInit_DLLs%'
         AND "eventpayload" ILIKE '%Details>0<%'
      THEN 'APPINIT_SIGNATURE_DISABLED'
    ELSE 'APPINIT_KEY_MODIFIED'
  END AS detection_type,
  "eventpayload" AS raw_payload
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 347, 380)
  AND (
    ("eventpayload" ILIKE '%Microsoft\\Windows NT\\CurrentVersion\\Windows%'
     OR "eventpayload" ILIKE '%Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows%')
    AND (
      "eventpayload" ILIKE '%AppInit_DLLs%'
      OR "eventpayload" ILIKE '%LoadAppInit_DLLs%'
      OR "eventpayload" ILIKE '%RequireSignedAppInit_DLLs%'
    )
  )
  AND devicetime > NOW() - 86400000
ORDER BY event_time DESC
LIMIT 500

high severity medium confidence

Data Sources

Windows Event Log (QRadar DSM) Microsoft Sysmon (QRadar DSM) Windows Security Log

Required Tables

events

False Positives

Security software vendors (endpoint agents, AV products) that register signed helper DLLs in AppInit_DLLs as part of user-mode monitoring
Legacy enterprise applications deployed before AppInit_DLLs was deprecated that still rely on this mechanism for cross-process functionality
Software deployment pipelines or SCCM/Intune scripts that configure registry values during mass workstation provisioning

Sumo Logic CSE

sql

(_sourceCategory=windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlog*)
(EventCode=12 OR EventCode=13 OR EventCode=14)
("Windows NT\\CurrentVersion\\Windows")
("AppInit_DLLs" OR "LoadAppInit_DLLs" OR "RequireSignedAppInit_DLLs")
| parse regex "(?i)<Data Name='TargetObject'>(?P<TargetObject>[^<]+)</Data>"
| parse regex "(?i)<Data Name='Details'>(?P<Details>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='Image'>(?P<Image>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='User'>(?P<reg_user>[^<]+)</Data>" nodrop
| where TargetObject matches "*Windows NT*CurrentVersion*Windows*"
| where TargetObject matches "*AppInit_DLLs*"
    OR TargetObject matches "*LoadAppInit_DLLs*"
    OR TargetObject matches "*RequireSignedAppInit_DLLs*"
| eval is_suspicious_dll = if(
    TargetObject matches "*AppInit_DLLs"
    AND !(Details matches "(?i)system32" OR Details matches "(?i)syswow64")
    AND Details != "", 1, 0)
| eval is_loading_enabled = if(
    TargetObject matches "*LoadAppInit_DLLs" AND Details = "1", 1, 0)
| eval is_signing_disabled = if(
    TargetObject matches "*RequireSignedAppInit_DLLs" AND Details = "0", 1, 0)
| where is_suspicious_dll = 1 OR is_loading_enabled = 1 OR is_signing_disabled = 1
| eval detection_type = if(is_suspicious_dll = 1, "APPINIT_SUSPICIOUS_DLL_PATH",
    if(is_loading_enabled = 1, "APPINIT_LOADING_ENABLED",
    if(is_signing_disabled = 1, "APPINIT_SIGNATURE_DISABLED",
    "APPINIT_KEY_MODIFIED")))
| fields _time, host, reg_user, EventCode, detection_type, TargetObject, Details, Image
| sort by _time desc

high severity high confidence

Data Sources

Sysmon Event Logs (Windows) Windows Security Event Log

Required Tables

Windows Event Log via Sumo Logic Installed Collector

False Positives

Third-party input method editors (IMEs) or keyboard layout software that inject helper DLLs into all GUI processes using AppInit_DLLs
Enterprise DLP or data classification agents that use AppInit_DLLs for cross-process document inspection — validate against approved software inventory
System restore or backup operations that reset registry hive snapshots containing historical AppInit_DLLs values

Google Chronicle / SecOps

yaral

rule appinit_dll_persistence_t1546_010 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects AppInit DLL persistence mechanism via registry modification (T1546.010). Covers suspicious DLL path injection, enabling of AppInit loading, and disabling of signature enforcement."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1546.010"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "Windows"
    reference = "https://attack.mitre.org/techniques/T1546/010/"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key,
        `(?i)SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows NT\\CurrentVersion\\Windows$`) or
      re.regex($e.target.registry.registry_key,
        `(?i)HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows NT\\CurrentVersion\\Windows$`)
    )
    re.regex($e.target.registry.registry_value_name,
      `(?i)^(AppInit_DLLs|LoadAppInit_DLLs|RequireSignedAppInit_DLLs)$`)
    (
      (
        re.regex($e.target.registry.registry_value_name, `(?i)^AppInit_DLLs$`) and
        $e.target.registry.registry_value_data != "" and
        not re.regex($e.target.registry.registry_value_data, `(?i)(system32|syswow64)`)
      ) or
      (
        re.regex($e.target.registry.registry_value_name, `(?i)^LoadAppInit_DLLs$`) and
        $e.target.registry.registry_value_data = "1"
      ) or
      (
        re.regex($e.target.registry.registry_value_name, `(?i)^RequireSignedAppInit_DLLs$`) and
        $e.target.registry.registry_value_data = "0"
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Event Log (Sysmon Registry Events) Google Chronicle UDM Registry Events

Required Tables

UDM Events (REGISTRY_MODIFICATION)

False Positives

Administrative tooling or GPO configurations that legitimately manage AppInit_DLLs values across a fleet, generating expected modification events from SYSTEM or trusted admin accounts
Application compatibility fixes or shims installed by Windows Assessment and Deployment Kit (ADK) tools that set AppInit_DLLs values for legacy software support
Security monitoring products (e.g., older versions of some EDR agents) that register themselves in AppInit_DLLs for process-level visibility

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("RegGenericValueUpdate", "AsepValueUpdate", "RegStringValueUpdate")
| RegObjectName = /(?i)(SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows NT\\CurrentVersion\\Windows)$/
| RegValueName = /(?i)^(AppInit_DLLs|LoadAppInit_DLLs|RequireSignedAppInit_DLLs)$/
| case {
    RegValueName = /(?i)^AppInit_DLLs$/
    AND NOT RegStringValue = /(?i)(system32|syswow64)/
    AND RegStringValue != ""
      | DetectionType := "APPINIT_SUSPICIOUS_DLL_PATH" ;
    RegValueName = /(?i)^LoadAppInit_DLLs$/ AND RegStringValue = "1"
      | DetectionType := "APPINIT_LOADING_ENABLED" ;
    RegValueName = /(?i)^RequireSignedAppInit_DLLs$/ AND RegStringValue = "0"
      | DetectionType := "APPINIT_SIGNATURE_DISABLED" ;
    *
      | DetectionType := "APPINIT_KEY_MODIFIED"
  }
| table([timestamp, ComputerName, UserName, DetectionType, RegObjectName, RegValueName, RegStringValue, FileName, CommandLine])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (Registry Events) Falcon Data Replicator (FDR)

Required Tables

RegGenericValueUpdate AsepValueUpdate RegStringValueUpdate

False Positives

CrowdStrike or other EDR vendor sensor updates that temporarily modify AppInit_DLLs-adjacent registry areas during kernel hook management — filter by known vendor process hashes
Windows in-place upgrade or feature update processes that re-write CurrentVersion registry keys including AppInit_DLLs as part of Windows component servicing
Legitimate pen testing or red team exercises conducted by internal security teams — correlate with change management tickets and authorized testing windows

AppInit DLLs

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections