T1182: AppCert DLL Persitence

DLLS specificed in the AppCertDLLs value in the the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.
Cause a malicious DLL to be loaded and run in the context of seperate proccesses on the computer
Requires Administrator or Local System privs

Method

Create a 64-bit DLL
Could also use metasploit to make this

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
        case DLL_PROCESS_ATTACH:
	     MessageBox(NULL, L"Hello world from DLL!", L"Hello world", 0x0);
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

The malicious code goes into the DLLMain
Create the following registry key:

HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls

Make sure there is a registry key with a value named persistence and a string data with the path to the dll
Launch cmd.exe
Reference for the above https://b3n7s.github.io/2018/10/27/AppCert-Dlls.html

T1182 AppCert DLL Persitence - CraigDonkin/Infrastructure GitHub Wiki

T1182: AppCert DLL Persitence

Method

⚠️ GitHub.com Fallback ⚠️

T1182 AppCert DLL Persitence - CraigDonkin/Infrastructure GitHub Wiki

T1182: AppCert DLL Persitence

Method

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️