Detection rules › Kusto Query Language

Registry Persistence via AppInit DLLs Modification

Source: upstream

'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Ref: https://attack.mitre.org/techniques/T1546/010/'

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1546.010` Event Triggered Execution: AppInit DLLs
Privilege Escalation	`T1546.010` Event Triggered Execution: AppInit DLLs

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `source`

Event

Stage 2: `where`

and
  EventID eq "13"
  EventLog eq "Microsoft-Windows-Sysmon/Operational"

Stage 3: `parse`

Stage 4: `where`

TargetObject match "\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_DLLs"

Stage 5: `summarize`

Stage 6: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventID`	in	`13`
`EventLog`	eq	`Microsoft-Windows-Sysmon/Operational`
`TargetObject`	match	`\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs`

Registry Persistence via AppInit DLLs Modification

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: parse

Stage 4: where

Stage 5: summarize