Esc

AppCert DLLs - T1546.009

(ATT&CK® Technique)

Definition

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.

 D3FEND Inferred Relationships
 Browse the D3FEND knowledge graph by clicking on the nodes below.
 
 
  
 
 
       
 
 json

    Model
 −
 Model
 +
  Asset Inventory
  Asset Vulnerability Enumeration
  Container Image Analysis
  Configuration Inventory
  Data Inventory
  Hardware Component Inventory
  Network Node Inventory
  Software Inventory
 
 Network Mapping
  Logical Link Mapping
  Active Logical Link Mapping
  Passive Logical Link Mapping
  Network Traffic Policy Mapping
  Network Vulnerability Assessment
  Physical Link Mapping
  Active Physical Link Mapping
  Direct Physical Link Mapping
 
 Operational Activity Mapping
  Access Modeling
  Operational Dependency Mapping
  Operational Risk Assessment
  Organization Mapping
 
 System Mapping
  Data Exchange Mapping
  Service Dependency Mapping
  System Dependency Mapping
  System Vulnerability Assessment
 
 
  
 Harden
 −
 Harden
 +
  Agent Authentication
  Biometric Authentication
  Certificate-based Authentication
  Multi-factor Authentication
  Password Authentication
  Token-based Authentication
 
 Application Hardening
  Application Configuration Hardening
  Disable Remote Access
  Dead Code Elimination
  Exception Handler Pointer Validation
  Pointer Authentication
  Process Segment Execution Prevention
  Segment Address Offset Randomization
  Stack Frame Canary Validation
 
 Credential Hardening
  Certificate Pinning
  Credential Rotation
  Certificate Rotation
  Password Rotation
  One-time Password
  Strong Password Policy
  Change Default Password
  Token Binding
 
 Message Hardening
  Message Authentication
  Message Encryption
  Transfer Agent Authentication
 
 Platform Hardening
  Bootloader Authentication
  Disk Encryption
  Driver Load Integrity Checking
  File Encryption
  Hardware-based Write Protection
  Physical Enclosure Hardening
  RF Shielding
  Software Update
  System Configuration Permissions
  TPM Boot Integrity
 
 Source Code Hardening
  Credential Scrubbing
  Domain Logic Validation
  Operational Logic Validation
  Integer Range Validation
  Pointer Validation
  Memory Block Start Validation
  Null Pointer Checking
  Reference Nullification
  Trusted Library
  Variable Initialization
  Variable Type Validation
 
 
  
 Detect
 −
 Detect
 +
  File Analysis
  Dynamic Analysis
  Emulated File Analysis
  File Content Analysis
  File Content Rules
  File Hashing
 
 Identifier Analysis
  Homoglyph Detection
  Identifier Activity Analysis
  Identifier Reputation Analysis
  Domain Name Reputation Analysis
  File Hash Reputation Analysis
  IP Reputation Analysis
  URL Reputation Analysis
  URL Analysis
 
 Message Analysis
  Sender MTA Reputation Analysis
  Sender Reputation Analysis
 
 Network Traffic Analysis
  Administrative Network Activity Analysis
  Application Protocol Command Analysis
  Remote Firmware Update Monitoring
  Byte Sequence Emulation
  Certificate Analysis
  Active Certificate Analysis
  Passive Certificate Analysis
  Client-server Payload Profiling
  Connection Attempt Analysis
  DNS Traffic Analysis
  File Carving
  Inbound Session Volume Analysis
  IPC Traffic Analysis
  Network Traffic Community Deviation
  Network Traffic Signature Analysis
  Per Host Download-Upload Ratio Analysis
  Protocol Metadata Anomaly Detection
  Relay Pattern Analysis
  Remote Terminal Session Detection
  RPC Traffic Analysis
 
 Physical Access Monitoring
  Electronic Lock Monitoring
  Motion Sensor Monitoring
  Proximity Sensor Monitoring
  Video Surveillance
 
 Platform Monitoring
  Application Performance Monitoring
  Application Exception Monitoring
  File Integrity Monitoring
  Firmware Behavior Analysis
  Firmware Embedded Monitoring Code
  Firmware Verification
  Peripheral Firmware Verification
  System Firmware Verification
  Operating Mode Monitoring
  Operating System Monitoring
  Endpoint Health Beacon
  Input Device Analysis
  Memory Boundary Tracking
  Scheduled Job Analysis
  System Daemon Monitoring
  System File Analysis
  Service Binary Verification
  System Init Config Analysis
  User Session Init Config Analysis
  Operational Process Monitoring
  Platform Uptime Monitoring
 
 Process Analysis
  Database Query String Analysis
  File Access Pattern Analysis
  Indirect Branch Call Analysis
  Process Code Segment Verification
  Process Self-Modification Detection
  Process Spawn Analysis
  Process Lineage Analysis
  Script Execution Analysis
  Shadow Stack Comparisons
  System Call Analysis
  File Creation Analysis
 
 User Behavior Analysis
  Authentication Event Thresholding
  Authorization Event Thresholding
  Credential Compromise Scope Analysis
  Domain Account Monitoring
  Job Function Access Pattern Analysis
  Local Account Monitoring
  Resource Access Pattern Analysis
  Session Duration Analysis
  User Data Transfer Analysis
  User Geolocation Logon Pattern Analysis
  Web Session Activity Analysis
 
 
  
 Isolate
 −
 Isolate
 +
  Access Mediation
  Credential Transmission Scoping
  IO Port Restriction
  Network Access Mediation
  LAN Access Mediation
  Routing Access Mediation
  Network Resource Access Mediation
  Remote File Access Mediation
  Web Session Access Mediation
  Endpoint-based Web Server Access Mediation
  Proxy-based Web Server Access Mediation
  Operating Mode Restriction
  OT Variable Access Restriction
  Physical Access Mediation
  Physical Locking
  System Call Filtering
  Local File Access Mediation
 
 Access Policy Administration
  Domain Trust Policy
  Local File Permissions
  User Account Permissions
  User Group Permissions
 
 Content Filtering
  Content Modification
  Content Excision
  Content Format Conversion
  Content Rebuild
  Content Substitution
  Content Quarantine
  Content Validation
  File Format Verification
  File Content Decompression Checking
  File Internal Structure Verification
  File Metadata Consistency Validation
  File Metadata Value Verification
  File Magic Byte Verification
 
 Execution Isolation
  Application-based Process Isolation
  Executable Allowlisting
  Executable Denylisting
  Hardware-based Process Isolation
  Kernel-based Process Isolation
 
 Network Isolation
  Broadcast Domain Isolation
  Directional Network Link
  DNS Allowlisting
  DNS Denylisting
  Forward Resolution Domain Denylisting
  Hierarchical Domain Denylisting
  Homoglyph Denylisting
  Forward Resolution IP Denylisting
  Reverse Resolution IP Denylisting
  Encrypted Tunnels
  Network Traffic Filtering
  Inbound Traffic Filtering
  Email Filtering
  Outbound Traffic Filtering
 
 
  
 Deceive
 −
 Deceive
 +
  Decoy Environment
  Connected Honeynet
  Integrated Honeynet
  Standalone Honeynet
 
 Decoy Object
  Decoy File
  Decoy Network Resource
  Decoy Persona
  Decoy Public Release
  Decoy Session Token
  Decoy User Credential
 
 
  
 Evict
 −
 Evict
 +
  Credential Eviction
  Account Locking
  Authentication Cache Invalidation
  Credential Revocation
 
 Object Eviction
  Disk Formatting
  Disk Erasure
  Disk Partitioning
  DNS Cache Eviction
  Domain Registration Takedown
  File Eviction
  Email Removal
  Registry Key Deletion
 
 Process Eviction
  Host Shutdown
  Host Reboot
  Process Suspension
  Process Termination
  Session Termination
 
 
  
 Restore
 −
 Restore
 +
  Restore Access
  Reissue Credential
  Restore Network Access
  Restore User Account Access
  Unlock Account
 
 Restore Object
  Restore Configuration
  Restore Database
  Restore Disk Image
  Restore File
  Restore Email
  Restore Software

  Use of the MITRE D3FEND™ Knowledge Graph and website is subject to the Terms of Use. Use of the MITRE D3FEND website is subject to the MITRE D3FEND Privacy Policy. MITRE D3FEND is funded
    by the National Security Agency (NSA) Cybersecurity Directorate and managed by the National Security Engineering Center (NSEC) which is operated by The MITRE Corporation. MITRE D3FEND; and the MITRE D3FEND logo are trademarks of The MITRE
    Corporation.
    This software was produced for the U. S. Government under Basic Contract No.
    W56KGU-18-D-0004, and is subject to the Rights in Noncommercial Computer
    Software and Noncommercial Computer Software Documentation Clause
    252.227-7014 (FEB 2012) 
© 2025 The MITRE Corporation. 
Approved for Public Release; Distribution Unlimited #20-2338 and #23-1207.