AppCert DLLs (T1546.009)

Information

• Name: AppCert DLLs

• ID: T1546.009

• Tactics: ,

• Technique:

Introduction

AppCert DLLs (T1546.009) is a sub-technique within the MITRE ATT&CK framework under the broader technique of Event Triggered Execution (T1546). It involves adversaries abusing the AppCert DLLs registry keys in Windows operating systems to establish persistence and execute malicious payloads. Windows AppCert DLLs are legitimate features designed to load DLLs into processes for application compatibility purposes. Attackers exploit these registry keys to insert malicious DLL references, causing the targeted DLLs to load every time certain applications execute, thereby gaining persistent execution capabilities and evading detection.

Deep Dive Into Technique

AppCert DLLs are part of Microsoft's Application Compatibility infrastructure, which allows DLLs to be loaded automatically into processes to ensure compatibility with older applications. These DLLs are specified in the Windows Registry under the following path:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs

When a process is started, Windows checks this registry key and loads any DLLs listed there into the process. Attackers exploit this functionality by:

• Creating or modifying entries under the AppCertDLLs registry key to reference malicious DLL files.

• Placing malicious DLL files in locations accessible to the targeted processes.

• Triggering execution of legitimate processes, causing the malicious DLLs to load automatically.

Technical details and execution methods include:

• Registry Modification: Attackers must have administrative privileges to modify the AppCertDLLs registry key. Once modified, the attacker-defined DLL is loaded into every process that calls certain Windows APIs, such as CreateProcess, WinExec, or LoadLibrary.

• DLL Placement: Malicious DLLs are typically placed in locations like %SystemRoot%\System32\, %SystemRoot%\SysWOW64\, or other directories included in the system's DLL search path.

• Execution Trigger: Legitimate system binaries and applications, when executed, trigger loading of the malicious DLL, providing attackers with persistence and execution capabilities.

• Stealth and Evasion: This technique leverages legitimate Windows functionality, making detection challenging and allowing attackers to maintain long-term persistence without raising suspicion.

When this Technique is Usually Used

Attackers typically deploy the AppCert DLLs technique in the following scenarios and stages of an attack:

• Persistence: After initial compromise, attackers leverage AppCert DLLs to maintain persistent access across system reboots and user logins.

• Privilege Escalation and Lateral Movement: Attackers with administrative privileges can use AppCert DLLs to escalate privileges or move laterally by ensuring their code executes in the context of privileged processes.

• Defense Evasion: The legitimate nature of AppCert DLLs makes detection difficult, allowing attackers to evade endpoint security solutions and monitoring tools.

• Long-term Operations: Attackers aiming for prolonged network presence may choose this technique due to its stealthy nature and difficulty in detection and attribution.

How this Technique is Usually Detected

Detection of AppCert DLLs abuse involves monitoring and analyzing various system components and behaviors, including:

• Registry Monitoring:

  • Track modifications to the registry key:

    Copy

    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs

  • Tools such as Sysinternals Autoruns, Windows Registry auditing, and endpoint detection and response (EDR) solutions can detect suspicious entries.

• File System Monitoring:

  • Monitor creation, modification, or placement of DLL files in system directories (System32, SysWOW64) or other unusual locations.

  • Use file integrity monitoring (FIM) tools to detect unauthorized DLL additions or changes.

• Process Monitoring:

  • Observe process creation events and DLL loading behaviors.

  • Tools such as Sysmon, Process Monitor (Procmon), and EDR tools can provide visibility into abnormal DLL loading activities.

• Behavioral Analysis:

  • Analyze unusual process behaviors, unexpected DLL loads, and abnormal API calls.

  • Endpoint security solutions and security information and event management (SIEM) systems can correlate behaviors to identify malicious activity.

Indicators of Compromise (IoCs):

• Suspicious entries under the registry key:

  Copy

  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs

• DLL files appearing in unusual directories or with suspicious names.

• Unexpected DLL loading events into legitimate processes.

Why it is Important to Detect This Technique

Early detection of AppCert DLLs abuse is crucial due to the following potential impacts:

• Persistent Malware Presence: Attackers using this technique can maintain persistent access to systems, surviving reboots, and user logoffs, resulting in long-term compromise.

• Privilege Escalation and Lateral Movement: Malicious DLLs loaded into privileged processes can allow attackers to escalate privileges, move laterally, and compromise multiple systems across a network.

• Stealth and Evasion: The legitimate nature of AppCert DLLs complicates detection, allowing attackers to remain undetected for extended periods, increasing the risk of data exfiltration, espionage, or sabotage.

• Data Theft and Espionage: Persistent malicious DLLs can facilitate data exfiltration, credential harvesting, and espionage activities.

• System Stability and Integrity: Unauthorized DLLs loaded into critical processes can disrupt system stability, degrade performance, or cause crashes, affecting productivity and operations.

Early identification and remediation of AppCert DLLs abuse help mitigate these risks, reduce attacker dwell time, and prevent further compromise and damage.

Examples

Real-world examples demonstrating the abuse of AppCert DLLs include:

• Operation Cloud Hopper (APT10):

  • Attackers leveraged AppCert DLLs to maintain persistence and execute malicious payloads within compromised managed service provider (MSP) environments.

  • Malicious DLLs were placed in system directories and referenced via the AppCertDLLs registry key, enabling persistent execution and stealthy operation.

  • Impact included long-term espionage, data theft, and persistent access to sensitive client networks.

• FIN7 Cybercrime Group:

  • FIN7 attackers have used AppCert DLLs in targeted campaigns against retail, hospitality, and financial institutions.

  • Malicious DLLs loaded via AppCertDLLs registry entries facilitated persistent access, credential theft, and lateral movement.

  • Resulted in significant financial losses, data breaches, and compromised systems.

• Carbanak/Anunak Malware:

  • Sophisticated cybercriminal groups used AppCert DLLs to load malicious DLLs into legitimate banking applications.

  • Enabled persistent access, credential harvesting, and large-scale financial fraud operations.

  • Impact included millions of dollars stolen from financial institutions worldwide.

These examples illustrate the effectiveness, stealth, and severe impact of AppCert DLLs abuse in real-world cyberattacks, highlighting the necessity for proactive detection, monitoring, and response.