MITRE ATT&CK Technique
Persistence
T1182
Description
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
Supported Platforms
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Dynamic-link libraries (DLLs) that are specified in the '
'AppCertDLLs Registry key under '
'<code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session '
'Manager</code> are loaded into every process that calls the '
'ubiquitously used application programming interface (API) '
'functions CreateProcess, CreateProcessAsUser, '
'CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. '
'(Citation: Elastic Process Injection July 2017)\n'
'\n'
'Similar to [Process '
'Injection](https://attack.mitre.org/techniques/T1055), this '
'value can be abused to obtain persistence and privilege '
'escalation by causing a malicious DLL to be loaded and run in '
'the context of separate processes on the computer.',
'external_references': [{'external_id': 'T1182',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1182'},
{'description': 'Hosseini, A. (2017, July 18). Ten '
'Process Injection Techniques: A '
'Technical Survey Of Common And '
'Trending Process Injection '
'Techniques. Retrieved December 7, '
'2017.',
'source_name': 'Elastic Process Injection July 2017',
'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'},
{'description': 'Russinovich, M. (2016, January 4). '
'Autoruns for Windows v13.51. '
'Retrieved June 6, 2016.',
'source_name': 'TechNet Autoruns',
'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'},
{'description': 'Microsoft. (2007, October 24). '
'Windows Sysinternals - AppCertDlls. '
'Retrieved December 18, 2017.',
'source_name': 'Sysinternals AppCertDlls Oct 2007',
'url': 'https://forum.sysinternals.com/appcertdlls_topic12546.html'}],
'id': 'attack-pattern--4bf5845d-a814-4490-bc5c-ccdee6043025',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:44.956Z',
'name': 'AppCert DLLs',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}