ATT&CK Technique
AppInit DLLs
T1103 · persistence, privilege-escalation
▤ Generate a SIEM detection for T1103
◈ Deployable detections for T1103
⚠ CVEs mapped to T1103
♛ Hunt package for T1103
Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Similar to Process Injection, these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled.
Windows
▸
How to use this page - the detection-engineering loop
Attackers have goals (tactics - “get credentials”, “move laterally”) and techniques are the concrete methods they use to reach them. This page is one method - T1103 - broken into everything you need to catch it.
The loop this page is built for (this is the job):
- Understand the behaviour - read the description and the Atomic Tests to see exactly what the attacker does on a host or network.
- Find the telemetry - what data source would reveal it (process creation, registry, network flow, auth logs). Detection Coverage shows which surfaces already have a rule and which are blind.
- Get or write the detection - adapt ready logic (CAR Analytics, SIEM Detections, Falco, or Sigma via Generate a SIEM detection), or author your own.
- Test it - run an Atomic Test in a lab and confirm your rule actually fires. A detection you have not tested is a hope, not coverage.
- Deploy and tune - push it, then watch for false positives and adjust.
What each panel is for:
Atomic Testssafely reproduce the technique in a lab to validate that a detection fires.
Detection Coveragewhich detection surfaces have a rule for this technique; none is a blind spot to close, or simply not applicable (YARA matches files, not network behaviour).
CAR / SIEM / Falcoready-made detection logic (Splunk SPL, Elastic EQL, Sentinel KQL, Falco) you adapt to your own SIEM.
Mitigationsreduce exposure so the technique is harder to use at all - prevent, not just detect.
Actors / Attributionwho actually uses this, so you prioritise by your own threat model.
Attack Path / LOTLwhat attackers do before and after this step, and the legitimate tools they abuse to do it.
Where this fits: you usually arrive here from a CVE (“which techniques does it enable”) and leave with a tested detection deployed. The buttons above jump straight to building one, the deployable rules, the CVEs that use T1103, and a hunt package.
◈
Detection Coverage
0/9 layersCoverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma)
none
Analytics (MITRE CAR)
none
Runtime / container (Falco)
none
File / malware (YARA)
none
Network (Suricata/Snort)
none
Vuln scan (Nuclei)
none
SIEM (Splunk ESCU)
none
SIEM (Elastic)
none
SIEM (Azure Sentinel)
none
External lookups - second-class, for what we don’t hold ourselves