Threat Intel: Persistence - AppInit DLLs


Windows operating systems offer the capability for almost all application processes to load custom Dynamic Link Libraries (DLLs) into their memory space. This feature can be exploited for maintaining persistence by injecting a specially crafted DLL that executes its code whenever application processes are initiated on the system. Implementing this technique necessitates administrator-level permissions.


The next two registry values should be set to 0 or not exist.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs - 0x0
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs - 0x0

If the values are configured to 1, it indicates a potential issue. A manual verification should be conducted in the uncommon event that a legitimate program requires this functionality. If no such requirement exists, it is highly likely indicative of a malware infection.

More information and examples of this attack vector: