New DLL Added to AppCertDlls Registry Key

About the rule

Rule Type

Standard

Rule Description

Detects the addition of a new DLL to the AppCertDlls registry key. DLLs specified in this key are loaded by every process that calls Win32 API functions such as CreateProcess or WinExec.

Why this rule?

This registry modification enables persistent code execution by forcing every process to load a malicious DLL, giving attackers widespread system access. The AppCertDlls technique is a known persistence mechanism that can survive reboots and affect all applications. Detecting this change is critical as it indicates an attacker has already gained elevated privileges and is establishing long-term access.

Severity

Trouble

Rule journey

Attack chain scenario

Execution → Persistence → Registry Modification (AppCertDlls) → DLL Injection → Widespread Code Execution.

Impact

Establishment of widespread persistence across the operating system and code execution within the context of other applications.

Rule Requirement

Prerequisites

Enable Registry auditing for the path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Persistence: Event Triggered Execution - AppCert DLLs (T1546.009), Privilege Escalation: Event Triggered Execution - AppCert DLLs (T1546.009)

Author

@Ilyas Ochkov, oscd.community

Future actions

Known False Positives

Legitimate security software or specialized enterprise monitoring tools that use AppCertDlls for process monitoring.

Next Steps

1. Identification: Identify the DLL file path added to the registry key.
2. Analysis: Locate the file on disk and check its hash/signature.
3. Response: Remove the registry value and quarantine the DLL if unauthorized.

Mitigation