Esc

AppCert DLLs - T1546.009

(ATT&CK® Technique)

Definition

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.

 D3FEND Inferred Relationships
 Browse the D3FEND knowledge graph by clicking on the nodes below. 
 
 
  
 
 
         graph LR;

     T1546009["AppCert DLLs"] --> |invokes| CreateProcess["Create Process"]; class T1546009 OffensiveTechniqueNode;
        class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
        click T1546009 href "/offensive-technique/attack/T1546.009/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1546009["AppCert DLLs"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546009 OffensiveTechniqueNode;
        class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
        click T1546009 href "/offensive-technique/attack/T1546.009/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546009["AppCert DLLs"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1546009 OffensiveTechniqueNode;
        class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
        click T1546009 href "/offensive-technique/attack/T1546.009/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";                                       FileEviction["File Eviction"] -->
          | deletes | SharedLibraryFile["Shared Library File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1546009["AppCert DLLs"] ;
          class FileEviction DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";              DecoyFile["Decoy File"] -->
          | spoofs | SharedLibraryFile["Shared Library File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1546009["AppCert DLLs"] ;
          class DecoyFile DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";              SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1546009["AppCert DLLs"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | may-detect | T1546009["AppCert DLLs"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";                     SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateProcess["Create Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1546009["AppCert DLLs"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";                    FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | SharedLibraryFile["Shared Library File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1546009["AppCert DLLs"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";              ExecutableDenylisting["Executable Denylisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1546009["AppCert DLLs"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; FileEncryption["File Encryption"] -->
          | encrypts | SharedLibraryFile["Shared Library File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1546009["AppCert DLLs"] ;
          class FileEncryption DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                         ExecutableAllowlisting["Executable Allowlisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1546009["AppCert DLLs"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | restricts | CreateProcess["Create Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | may-isolate | T1546009["AppCert DLLs"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation";                             LocalFilePermissions["Local File Permissions"] -->
          | restricts | SharedLibraryFile["Shared Library File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1546009["AppCert DLLs"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                            RestoreFile["Restore File"] -->
          | restores | SharedLibraryFile["Shared Library File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1546009["AppCert DLLs"] ;
          class RestoreFile DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
          | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1546009["AppCert DLLs"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class SystemConfigurationDatabaseRecord ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";                           FileAnalysis["File Analysis"] -->
          | analyzes | SharedLibraryFile["Shared Library File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1546009["AppCert DLLs"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | SharedLibraryFile["Shared Library File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1546009["AppCert DLLs"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";                           
      
 
 
 json

  Use of the MITRE D3FEND™ Knowledge Graph and website is subject to the Terms of Use. Use of the MITRE D3FEND website is subject to the
    MITRE D3FEND Privacy Policy. MITRE D3FEND is funded
    by the
    National Security Agency
    (NSA)
    Cybersecurity Directorate
    and managed by the
    National Security Engineering Center
    (NSEC) which is operated by
    The MITRE Corporation. MITRE D3FEND; and the MITRE D3FEND logo are trademarks of The MITRE
    Corporation. MITRE ATT&CK® and ATT&CK® are registered trademarks of
    The MITRE Corporation. MITRE ATT&CK content is subject to the MITRE ATT&CK
    terms of use.
    This software was produced for the U. S. Government under Basic Contract No.
    W56KGU-18-D-0004, and is subject to the Rights in Noncommercial Computer
    Software and Noncommercial Computer Software Documentation Clause
    252.227-7014 (FEB 2012)
    
© 2025 The MITRE Corporation.
    
Approved for Public Release; Distribution Unlimited #20-2338 and #23-1207.