Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)
Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.
The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1546.010 | AppInit DLLs |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, upgrading to Windows 8 or later and enabling secure boot can help prevent execution of malicious content via AppInit DLLs.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SI-02 | Flaw Remediation | mitigates | T1546.010 | AppInit DLLs | |
| SI-10 | Information Input Validation | mitigates | T1546.010 | AppInit DLLs | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1546.010 | AppInit DLLs | |
| CM-02 | Baseline Configuration | mitigates | T1546.010 | AppInit DLLs | |
| CM-07 | Least Functionality | mitigates | T1546.010 | AppInit DLLs |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Alter behavior | Influence or alter human behavior | related-to | T1546.010 | AppInit DLLs |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1546.010 | AppInit DLLs |
Comments
The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.
References
|