Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1546.010: AppInit DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. [1]

Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. [2] Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.

The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. [3]

EnterpriseT1546.010Sub-techniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AppInit DLLs matter because a Windows registry setting can cause a DLL to load into many user-interface-related processes, creating a durable persistence or privilege-escalation path. For leaders, the key issue is not the registry value itself; it is whether the organization can prove that high-risk autorun locations are governed, monitored, and constrained by execution-prevention controls.

Executive priority

Prioritize this where Windows endpoints or servers remain business-critical, especially if older systems or systems without Secure Boot are present. Ask whether endpoint hardening, application control, patching, and autorun monitoring provide audit-ready evidence that unauthorized DLLs cannot persist through AppInit. This technique is also relevant to incident response scoping because a single registry-based persistence point may cause code to appear across many processes.

Technical view

T1546.010 is a Windows sub-technique of Event Triggered Execution for persistence and privilege escalation. Validate monitoring of both documented registry paths: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows and HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows, especially the AppInit_DLLs value. Because user32.dll is commonly loaded, defenders should correlate registry changes, DLL file presence, and module loads rather than relying on process names alone. ATT&CK provides a related detection strategy, DET0557, but the supplied technique object has no official detection text, so local engineering is required.

Likely telemetry

  • Windows registry change telemetry for AppInit_DLLs and related Windows NT\CurrentVersion\Windows keys
  • Endpoint module/DLL load telemetry showing DLLs loaded into processes that load user32.dll
  • File creation, modification, and signing metadata for DLL paths referenced by AppInit_DLLs
  • Autorun inventory data from approved administrative tooling
  • Secure Boot and Windows version/configuration state

Detection direction

  • Baseline legitimate AppInit_DLLs values and alert on new, changed, unsigned, unusual, or user-writable DLL paths.
  • Cover both native and Wow6432Node registry locations to avoid 32-bit/64-bit visibility gaps.
  • Correlate registry writes with subsequent DLL loads across multiple processes; raw module-load volume may be noisy because user32.dll is widely used.
  • Tune for authorized administrative or legacy software use, but require change evidence for any AppInit modification.
  • Use the relationship to DET0557 as a pointer for detection-strategy development, while noting that the supplied ATT&CK object does not include official detection logic.

Mitigation priorities

  • Confirm Windows systems are updated, aligning with ATT&CK mitigation M1051 Update Software.
  • Use execution prevention controls aligned with M1038 so only trusted and authorized code can execute or load.
  • Validate Secure Boot status where applicable, because the supplied description states AppInit DLL functionality is disabled on Windows 8 and later when Secure Boot is enabled.
  • Restrict and monitor administrative access capable of modifying HKLM autorun registry locations.
  • Include AppInit registry keys in incident response persistence checks and compliance evidence for endpoint hardening.
Analyst notes and limits

Relationship context shows this technique is the current sub-technique replacing revoked T1103, is under T1546 Event Triggered Execution, and has documented use relationships to APT39 and the T9000, Cherry Picker, and Ramsay software entries. These relationships support relevance for threat-informed defense, but do not by themselves prove current activity in any environment.

The supplied object does not provide official detection text or environment-specific prevalence. This take is limited to the official ATT&CK fields, external references, and relationships provided; local baselines, endpoint telemetry quality, Windows versions, Secure Boot state, and application-control policy determine actual defensive coverage.

Official MITRE ATT&CK definition

AppInit DLLs

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. [1]

Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. [2] Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.

The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. [3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1546 Event Triggered Execution This object subtechnique of Event Triggered Execution.
Enterprise T1103 AppInit DLLs AppInit DLLs revoked by this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0087: APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]

Malware Enterprise

S0098: T9000

T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. [1] [2]

Windows
Malware Enterprise

S0458: Ramsay

Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.[1][2]

Windows
Relationship explorer

All related ATT&CK context

uses · Group G0087: APT39 Enterprise uses · Malware S0098: T9000 Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise subtechnique of · Technique T1546: Event Triggered Execution Enterprise mitigates · Mitigation M1051: Update Software Enterprise detects · Detection Strategy DET0557: Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows) Enterprise uses · Malware S0107: Cherry Picker Enterprise revoked by · Technique T1103: AppInit DLLs Enterprise uses · Malware S0458: Ramsay Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Mitigation Enterprise

M1051: Update Software

Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures:

Regular Operating System Updates

- Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows. - Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution.

Application Patching

- Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance. - Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches.

Firmware Updates

- Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption. - Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic.

Emergency Patch Deployment

- Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours. - Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities.

Centralized Patch Management

- Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated. - Use Case: Streamlines patching processes and ensures no critical systems are missed.

*Tools for Implementation*

Patch Management Tools:

- WSUS: Manage and deploy Microsoft updates across the organization. - ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps. - Ansible: Automate updates across multiple platforms, including Linux and Windows.

Vulnerability Scanning Tools:

- OpenVAS: Open-source vulnerability scanning to identify missing patches.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
44081eec9b21e499...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 44081eec9b21…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Elastic Process Injection July 2017

    Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.

    Open source URL
  2. [2]
    AppInit Registry

    Microsoft. (2006, October). Working with the AppInit_DLLs registry value. Retrieved July 15, 2015.

    Open source URL
  3. [3]
    AppInit Secure Boot

    Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July 15, 2015.

    Open source URL
  4. [4]
    TechNet Autoruns

    Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.

    Open source URL
  5. [5]
    mitre-attack T1546.010
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use