Detection rules › Kusto Query Language

Registry Persistence via AppCert DLL Modification

Source: upstream

'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. Ref: https://attack.mitre.org/techniques/T1546/009/'

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1546.009` Event Triggered Execution: AppCert DLLs
Privilege Escalation	`T1546.009` Event Triggered Execution: AppCert DLLs

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `source`

Event

Stage 2: `where`

and
  EventID eq "13"
  EventLog eq "Microsoft-Windows-Sysmon/Operational"

Stage 3: `parse`

Stage 4: `where`

TargetObject match "\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\"

Stage 5: `summarize`

Stage 6: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventID`	in	`13`
`EventLog`	eq	`Microsoft-Windows-Sysmon/Operational`
`TargetObject`	match	`\\Control\\Session Manager\\AppCertDLLs\\`

Registry Persistence via AppCert DLL Modification

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: parse

Stage 4: where

Stage 5: summarize