title: AppInit DLLs (T1546.010)
id: df00tech-t1546-010
status: experimental
description: "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice, this is nearly every desktop process (GUI applications). This Registry-based injection mechanism has been used by multiple APT groups and crimeware families including Flame, FinFisher, and others."
references:
  - https://attack.mitre.org/techniques/T1546/010/
  - https://df00tech.com/detections/T1546.010
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate security products (some older AV engines, DLP tools) that use AppInit_DLLs to inject monitoring code into all user processes"
  - Application virtualization platforms that use AppInit_DLLs for application isolation and shim injection
  - Some older enterprise software that requires system-wide DLL injection for licensing or functionality
  - Research and debugging tools that explicitly document their use of AppInit_DLLs (rare in production environments)
level: high