title: AppCert DLLs (T1546.009)
id: df00tech-t1546-009
status: experimental
description: "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKLM\\System\\CurrentControlSet\\Control\\Session Manager are loaded into every process that calls the commonly used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. This provides adversaries a way to have code execute in the security context of every process on the system, including processes with high privilege levels."
references:
  - https://attack.mitre.org/techniques/T1546/009/
  - https://df00tech.com/detections/T1546.009
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Digital rights management (DRM) or software licensing tools that use AppCertDLLs to inject into processes for license validation
  - Enterprise endpoint management agents that use AppCertDLLs for process monitoring across all applications
  - Anticheat software for games that injects monitoring DLLs via AppCertDLLs mechanism
  - Legacy application compatibility shims that use AppCertDLLs to apply compatibility fixes to processes
level: high