T1546.009 · threatengine.sh

Home/ATT&CK Technique/AppCert DLLs

ATT&CK Technique

AppCert DLLs

T1546.009 · privilege-escalation, persistence

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. Similar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.

Windows

▸

Atomic Tests

Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.

powershellelevatedwindowsCreate registry persistence via AppCert DLL

Creates a new 'AtomicTest' value pointing to an AppCert DLL in the AppCertDlls registry key. Once the computer restarted, the DLL will be loaded in multiple processes and write an 'AtomicTest.txt' file in C:\Users\Public\ to validate that the DLL executed succesfully. Reference: https://skanthak.homepage.t-online.de/appcert.html

Copy-Item "#{dll_path}" C:\Users\Public\AtomicTest.dll -Force
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls" /v "AtomicTest" /t REG_EXPAND_SZ /d "C:\Users\Public\AtomicTest.dll" /f
if(#{reboot}){Restart-Computer}

▣

Mitigations

MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.

M1038Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions.

Application Control

Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.

xml"`) Script Blocking

Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g.

, Set-ExecutionPolicy AllSigned) Executable Blocking

Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.

Dynamic Analysis Prevention

Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

◈

Detection Coverage

1/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) 2

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

▣

Comply & Defend

NIST 800-53CM-07, SI-07, SI-10

D3FEND12 defensive techniques

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin