Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows
or
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
are loaded by user32.dll into every process that loads user32.dll
With this sigma rule you can detect these behaviors:
title: Abusing Applint DLLs Registry Path
description: DLLs values in Applint registry values will be loaded by user32.dll and every process that load user32.dll (nearly every program)
this method can be abused to obtain persistence and privilege escalation
author: francesco mancini
status: stable
logsource:
product: windows
service: sysmon
tags:
– attack.T1103
detection:
selection:
ParentImage:
— *\powershell.exe
— *\cmd.exe
Image:
— *\reg.exe
CommandLine:
— ‘*HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs*’
— ‘*HKEY;LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs*’
— ‘*HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs*’
– ‘*HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs*’
condition: selection
falsepositives:
— can be used by some legal softwares or patch cycles
level: critical
To use this detection rule, you can convert it to your SIEM language.
