security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cfa399357b4ecc0d893ceeebac4e4e1adfbbae0f
atomic-red-team/Windows/Persistence/AppInit_DLLs.md
T
caseysmithrc ac8dd2cfec Initial Commit 
Initial Checkin
2017-10-11 10:35:17 -07:00

25 lines
925 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## AppInit DLLs
MITRE ATT&CK Technique: [T1103](https://attack.mitre.org/wiki/Technique/T1103)
#### AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
#### LoadAppInit_DLLs (REG_DWORD) Globally enables or disables AppInit_DLLs.
0x0 AppInit_DLLs are disabled.
0x1 AppInit_DLLs are enabled.
#### AppInit_DLLs (REG_SZ) Space or comma delimited list of DLLs to load. The complete path to the DLL should be specified using Short Names.
C:\ PROGRA~1\WID288~1\MICROS~1.DLL
##### RequireSignedAppInit_DLLs (REG_DWORD) Only load code-signed DLLs. 0x0 Load any DLLs.
0x1 Load only code-signed DLLs.
## Test Script
[AppInitInject.reg](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AppInitInject.reg)
Reference in New Issue View Git Blame Copy Permalink