CYBERSECURITY JOB HUNTING GUIDE
T1546.010 Event Triggered Execution: AppInit DLLs
Author: Stefan Waldvogel
LimaCharlie vs. Account Manipulation
Overview:
T1546.010 - AppInit DLLs
Description from ATT&CK
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)
Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.
The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1546.010 -ShowDetailsBrief
Invoke-AtomicTest T1546.010 -CheckPrereqs
Invoke-AtomicTest T1546.010 -GetPrereqs
Invoke-AtomicTest T1546.010 -TestNumbers 1
Invoke-AtomicTest T1546.010 -Cleanup
Test:
reg.exe import #{registry_file}
Changes:
-none-
Limitations:
Results:
This section has 1 subtests.
Invoke-AtomicTest T1546.010 -TestNumbers 1 not detected, registry entry
T1546.010 - AppInit DLLs
Description from ATT&CK
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)
Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.
The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1546.010 -ShowDetailsBrief
Invoke-AtomicTest T1546.010 -CheckPrereqs
Invoke-AtomicTest T1546.010 -GetPrereqs
Invoke-AtomicTest T1546.010 -TestNumbers 1
Invoke-AtomicTest T1546.010 -Cleanup
Test:
reg.exe import #{registry_file}
Changes:
-none-
Limitations:
Results:
This section has 1 subtests.
Invoke-AtomicTest T1546.010 -TestNumbers 1 not detected, registry entry
© 2021. This work is licensed under a CC BY-SA 4.0 license