HUNTS- AppInit DLLs (T1103)
HUNTS- AppInit DLLs (T1103)
Version 1.0
ATT&CK Technique: AppInit DLLs (T1103)
What this playbook hunts for:
-
Additions and modifications to AppInit DLL registry keys. Adding or modifying AppInit DLL registry keys will load the added DLL any time user32.dll is loaded, creating a persistence and execution mechanism.
How the playbook works:
-
Generates SIEM query for Sysmon Event ID 12 and 13 logs where AppInit DLLs registry key is modified or added
What results are expected:
-
Name, process ID, and path of process modifying the AppInit DLLs registry key
-
AppInit DLLs registry key value that was added/modified
-
AppInit DLLs registry key modification time
-
Hostname of the computer where AppInit DLLs registry key was modified
Common follow-on actions:
-
Acquire forensic image
-
Sandbox file
-
Get running processes
-
Get network connections
-
Quarantine host
What inputs are necessary:
-
SIEM
-
Logs: Sysmon Event ID 12: RegistryEvent (Object create and delete)
-
Logs: Sysmon Event ID 13: ProcessAccess
-
Hunt start time
What subroutine playbooks are needed:
-
Create and Link Alerts from Hunt (Host-based)
What configurations are needed:
-
Sysmon logging enabled with the following added to the configuration file under the SYSMON EVENT ID 12 & 13 & 14 section:
<RegistryEvent onmatch="include">
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
</RegistryEvent>
False Positive Potential: Low
-
AppInit DLL functionality is disabled on most systems with Windows 8 and later.