T1546.009

Event Triggered Execution: AppCert DLLs

Other sub-techniques of Event Triggered Execution (16)

ID	Name
T1546.001	Change Default File Association
T1546.002	Screensaver
T1546.003	Windows Management Instrumentation Event Subscription
T1546.004	Unix Shell Configuration Modification
T1546.005	Trap
T1546.006	LC_LOAD_DYLIB Addition
T1546.007	Netsh Helper DLL
T1546.008	Accessibility Features
T1546.009	AppCert DLLs
T1546.010	AppInit DLLs
T1546.011	Application Shimming
T1546.012	Image File Execution Options Injection
T1546.013	PowerShell Profile
T1546.014	Emond
T1546.015	Component Object Model Hijacking
T1546.016	Installer Packages

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. ^[1]

攻撃者は、プロセスにロードされたAppCert DLLをトリガーとして悪意のあるコンテンツを実行することにより、永続性を確立したり権限を昇格させたりすることができます。HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\のAppCertDLLs　レジストリキーで特定されるDllは広く使われているアプリケーションプログラミングインターフェース（API）関数であるCreateProcess、CreateProcessAsUser、CreateProcessWithLoginW、CreateProcessWithTokenW、WinExecを呼び出すすべてのプロセスで読み込まれます[1]

Similar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.

プロセスインジェクションと同様に、この値を悪用して、悪意のあるDLLをロードさせ、コンピュータ上の別のプロセスのコンテキストで実行させることで、昇格した権限を取得することが可能です。また、悪意のあるAppCert DLLは、APIアクティビティによって継続的にトリガーされることで、永続性を提供することがあります。

ID: T1546.009

Sub-technique of: T1546

Tactics: Privilege Escalation, Persistence

Platforms: Windows

Permissions Required: Administrator, SYSTEM

Effective Permissions: Administrator, SYSTEM

Version: 1.0

Created: 24 January 2020

Last Modified: 10 November 2020

Procedure Examples

ID	Name	Description
S0196	PUNCHBUGGY	PUNCHBUGGY can establish using a AppCertDLLs Registry key.^[2]

Mitigations

ID	Mitigation	Description
M1038	Execution Prevention	Adversaries install new AppCertDLL binaries to execute this technique. Identify and block potentially malicious software executed through AppCertDLLs functionality by using application control ^[3] tools, like Windows Defender Application Control^[4], AppLocker, ^[5] ^[6] or Software Restriction Policies ^[7] where appropriate. ^[8]

Detection

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
DS0011	Module	Module Load	Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Tools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. ^[9] ^[10]
DS0009	Process	OS API Execution	Monitor and analyze application programming interface (API) calls that are indicative of Registry edits, such as `RegCreateKeyEx` and `RegSetValueEx`. ^[1]
		Process Creation	Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
DS0024	Windows Registry	Windows Registry Key Modification	Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc.