DET0362: Detection Strategy for AppCert DLLs Persistence via Registry Injection
DET0362 is a MITRE detection strategy for finding persistence or privilege-escalation behavior that abuses Windows AppCert DLL registry configuration. The...
Analyst context for executives and security teams
DET0362 is a MITRE detection strategy for finding persistence or privilege-escalation behavior that abuses Windows AppCert DLL registry configuration. The business issue is that this mechanism can cause a DLL to load into processes that call common process-creation APIs, making it a persistence point that may be easy to miss if registry monitoring and process context are weak.
Executive priority
Treat this as a Windows persistence-control validation item. Leaders should ask whether SOC and incident response teams can prove visibility into sensitive registry locations, especially HKLM Session Manager AppCertDLLs, and whether alerts are tied to a response playbook for unauthorized persistence changes. Because the ATT&CK object provides no official detection text, priority should be based on local Windows criticality, privilege management, and audit requirements rather than assuming existing coverage.
Technical view
The strategy detects ATT&CK technique T1546.009, AppCert DLLs, associated with persistence and privilege escalation on Windows. Detection engineering should validate monitoring for changes to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDLLs and correlate those changes with the process, user, host, and time of modification. IR teams should be ready to determine whether a DLL path configured there is expected, authorized, and present on disk, while avoiding assumptions because the detection-strategy object itself does not include official logic or analytics.
Likely telemetry
- Windows registry modification events for HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDLLs
- Process creation telemetry identifying the process that modified the registry key
- User, logon session, and privilege context for the modifying account
- File metadata and path evidence for DLLs referenced by the registry value
- Endpoint security, EDR, or host audit records that preserve registry and process lineage
Detection direction
- Validate that registry auditing or endpoint telemetry covers the AppCertDLLs key on Windows systems where the related technique is relevant.
- Tune detections around unauthorized creation or modification of values under the AppCertDLLs registry path, with allowlisting for known administrative or software-management activity where locally justified.
- Correlate registry changes with process lineage and user context to distinguish expected configuration activity from suspicious persistence establishment.
- Check for blind spots where registry events are not collected, are filtered before reaching the SIEM, or lack the process/user fields needed for triage.
- Use the related technique context—persistence and privilege escalation—to prioritize changes on high-value Windows servers and privileged workstations.
Mitigation priorities
- Confirm ownership and approved baseline state for AppCertDLLs registry configuration on relevant Windows assets.
- Restrict administrative rights and registry-write capability to authorized operators and management tooling.
- Maintain endpoint telemetry sufficient to investigate registry persistence changes, including process and account context.
- Include this registry location in configuration compliance checks or threat-hunting baselines where Windows persistence monitoring is in scope.
- Prepare IR procedures for validating referenced DLLs and reversing unauthorized persistence, while preserving evidence.
Analyst notes and limits
The source object is a detection strategy with no official description, no official detection text, and no platforms listed directly. The practical interpretation comes from its stated relationship to T1546.009 AppCert DLLs, which is a Windows technique under persistence and privilege escalation.
This take does not assert active exploitation, attribution, or confirmed detection coverage. Local environment evidence is required to decide which hosts are in scope, what registry changes are legitimate, and whether existing telemetry can support reliable alerting.
Detection Strategy for AppCert DLLs Persistence via Registry Injection
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1546.009 | AppCert DLLs Sub-technique | This object detects AppCert DLLs. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 18f1d90e94a6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0362Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.