Detectionmediumtest
New DLL Added to AppCertDlls Registry Key
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Ilyas Ochkov, oscd.communityCreated Fri Oct 25Updated Sat Nov 276aa1d992-5925-4e9f-a49b-845e51d1de01windows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event
Events for Windows Registry modifications including key creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
# key rename
- NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
6aa1d992-5925-4e9f-a49b-845e51d1de01
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Sat Nov 27
Author
Path
rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1546.009