EXPLORE
Sign In
← Back to Explore
T1546.010

AppInit DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32....

Windows
2
Detections
2
Sources
1
Threat Actors

BY SOURCE

1elastic1sigma

PROCEDURES (2)

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

THREAT ACTORS (1)

APT39

DETECTIONS (2)

New DLL Added to AppInit_DLLs Registry Key
sigmamedium
Registry Persistence via AppInit DLL
elasticmedium