Persistence via AppInit DLL¶
Detect registry modifications of the AppInit_Dlls key, which is used by attackers to maintain persistence.
AppInit DLLs are loaded into every process that users the common library user32.dll
.
id: | 822dc4c5-b355-4df8-bd37-29c458997b8f |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence, Privilege Escalation |
---|---|
techniques: | T1103 AppInit DLLs |
Query¶
registry where wildcard(registry_path,
"*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls",
"*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"
)
and not wildcard(process_path, "*\\system32\\msiexec.exe", "*\\syswow64\\msiexec.exe")
| unique registry_data