Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that
are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice
this is nearly every program, since user32.dll is a very common library. [1]
攻撃者は、プロセスにロードされたAppInit DLLをトリガーとして悪意のあるコンテンツを実行することにより、永続性を確立したり権限を昇格させたりすることができます。
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows もしくは HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\WindowsレジストリキーのAppInit_DLLの値で特定されるDllはuser32.dllをロードするすべてのプロセスによって、読み込まれます。
Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the
computer. [2] Malicious AppInit DLLs may also provide persistence
by continuously being triggered by API activity.
プロセスインジェクションと同様に、これらの値を悪用して、コンピュータ上の別のプロセスのコンテキストで悪意のあるDLLをロードして実行させることで、昇格した権限を取得することができます[2]。悪意のあるAppInit DLLは、APIアクティビティによって継続的にトリガーされることで、永続性を提供することもできます。
The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. [3]
Windows 8以降のバージョンでは、セキュアブートが有効な場合、AppInit DLLの機能が無効となります。[3]
| ID | Name | Description |
|---|---|---|
| G0087 | APT39 |
APT39 has used malware to set |
| S0107 | Cherry Picker |
Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key:
|
| S0458 | Ramsay |
Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key.[6] |
| S0098 | T9000 |
If a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that
is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: |
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
Adversaries can install new AppInit DLLs binaries to execute this technique. Identify and block potentially malicious software executed through AppInit DLLs functionality by using application control [8] tools, like Windows Defender Application Control[9], AppLocker, [10] [11] or Software Restriction Policies [12] where appropriate. [13] |
| M1051 | Update Software |
Upgrade to Windows 8 or later and enable secure boot. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. |
| DS0011 | Module | Module Load |
Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. |
| DS0009 | Process | OS API Execution |
Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as |
| Process Creation |
Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. |
||
| DS0024 | Windows Registry | Windows Registry Key Modification |
Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. |