AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)
Similar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) | Attack Pattern | AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c) | Attack Pattern | 1 |