Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1546.009: AppCert DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. [1]

Similar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.

EnterpriseT1546.009Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AppCert DLLs is a Windows persistence and privilege-escalation behavior where a registry-configured DLL can be loaded into processes that use common process-creation APIs. For leaders, the practical risk is that a small autorun-style registry change can make routine process activity repeatedly execute untrusted code, so coverage depends on registry visibility, DLL load visibility, and execution-prevention controls.

Executive priority

Treat this as a Windows endpoint and server resilience issue. Security leaders should ask whether teams can prove monitoring of the AppCertDLLs registry location, identify the DLLs referenced there, and enforce controls that prevent unauthorized code from running. It is especially relevant to incident response readiness because persistence may be triggered repeatedly by normal process creation rather than by an obvious scheduled job or service.

Technical view

This is a sub-technique of Event Triggered Execution for Windows under persistence and privilege escalation. Defenders should validate monitoring for changes under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDLLs, correlate referenced DLL paths with file creation or modification activity, and review module-load telemetry in processes that execute after the registry value is present. ATT&CK does not provide official detection text for this object, but the supplied relationship to DET0362 indicates a detection strategy focused on AppCert DLL persistence via registry injection. T1182 is revoked by this object, so current analytics and reporting should use T1546.009.

Likely telemetry

  • Windows Registry auditing or EDR registry events for creation, modification, or deletion of AppCertDLLs values
  • Endpoint file telemetry for DLLs referenced by the AppCertDLLs registry key
  • Process and module-load telemetry showing DLLs loaded into process contexts
  • Autoruns or startup-extension inventory output capable of listing AppCertDlls entries
  • Execution-prevention or application-control logs for blocked or allowed DLL execution

Detection direction

  • Baseline whether AppCertDLLs is normally used in the environment; unexpected values in this key should be high-priority for review.
  • Correlate registry changes with the user, process, host, and DLL path responsible for the change.
  • Tune for false positives from legitimate administrative or diagnostic tooling, but require clear ownership and business justification for any AppCertDLLs entry.
  • Validate that EDR or Windows logging retains enough registry and module-load detail to reconstruct persistence during incident response.
  • Use the DET0362 relationship as a prompt to implement or review a dedicated analytic for AppCert DLL registry injection.

Mitigation priorities

  • Prioritize execution prevention for unauthorized or untrusted code, consistent with ATT&CK mitigation M1038.
  • Restrict administrative ability to modify sensitive HKLM Session Manager registry locations.
  • Maintain inventory and periodic review of autorun-style persistence locations, including AppCertDLLs.
  • During response, identify the registry value, validate the referenced DLL, determine affected hosts, and remove unauthorized persistence only after preserving evidence.
Analyst notes and limits

The relationship context includes software S0196 PUNCHBUGGY using this technique, which supports that the behavior is operationally relevant, but this take does not infer current activity, attribution, or exposure. External references include Elastic process injection material, Sysinternals AppCertDlls discussion, and Autoruns documentation.

ATT&CK provides no official detection narrative for this object, so detection guidance is derived from the official behavior description, references, and supplied relationships. Local evidence is required to determine whether any AppCertDLLs entry is malicious or legitimate.

Official MITRE ATT&CK definition

AppCert DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. [1]

Similar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1546 Event Triggered Execution This object subtechnique of Event Triggered Execution.
Enterprise T1182 AppCert DLLs AppCert DLLs revoked by this object.
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Malware S0196: PUNCHBUGGY Enterprise subtechnique of · Technique T1546: Event Triggered Execution Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise detects · Detection Strategy DET0362: Detection Strategy for AppCert DLLs Persistence via Registry Injection Enterprise revoked by · Technique T1182: AppCert DLLs Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
5d548ccc990a87b6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 5d548ccc990a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Elastic Process Injection July 2017

    Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.

    Open source URL
  2. [2]
    Sysinternals AppCertDlls Oct 2007

    Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. Retrieved November 17, 2024.

    Open source URL
  3. [3]
    TechNet Autoruns

    Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.

    Open source URL
  4. [4]
    mitre-attack T1546.009
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use