Skip to content

AppInit DLLs

Jump to bottom
Veramine edited this page Jul 7, 2017 · 4 revisions

DLLs that are specified in the AppInit_DLLs value in the Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program. This value can be abused to obtain persistence by causing a DLL to be loaded into most processes on the computer. More background on this attacker tactic available at https://attack.mitre.org/wiki/Technique/T1103.

Veramine's detection engine detects instances where an application has modified the AppInit DLL registry settings. Here is an example detection:

Clone this wiki locally