EXPLORE
Sign In
← Back to Explore
T1546.009

AppCert DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>,...

Windows
3
Detections
2
Sources
0
Threat Actors

BY SOURCE

2sigma1elastic

PROCEDURES (3)

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

DETECTIONS (3)

New DLL Added to AppCertDlls Registry Key
sigmamedium
Registry Persistence via AppCert DLL
elasticmedium
Session Manager Autorun Keys Modification
sigmamedium