The AppInit_DLLs feature in Windows provides a way to load custom DLLs into the address space of every interactive application. Once a DLL is loaded into the address space of any process, it can run within the context of that process and can hook well-known APIs to implement an alternate functionality. An attacker can achieve persistence for their malicious DLL by setting the AppInit_DLLs value in the following registry key. This value typically contains space or comma-delimited list of DLLs. All the DLLs specified here are loaded into every process that loads User32.dll. Since User32.dll is loaded by almost all of the processes, this technique enables the attacker to load their malicious DLL into most of the processes and executes the malicious code within the context of the loaded process. In addition to setting the AppInit_DLLs value, an attacker may also enable the AppInit_DLLs functionality by setting the LoadAppInit_DLLs registry value to 1. The AppInit_DLLs functionality is disabled on Windows 8 and later versions, where the secure boot is enabled:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
The following screenshot shows the AppInit DLL entries added by the T9000 backdoor (https://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/):
As a result of adding the preceding registry entries, when any new process (that loads User32.dll) is started, it loads the malicious DLL (ResN32.dll) into its address space. The following screenshot displays the operating system's processes that loaded the malicious DLL (ResN32.dll) after rebooting the system. Since most of these processes run with high integrity levels, it allows an adversary to execute malicious code with elevated privileges:
To detect this technique, you can look for the suspicious entries in the AppInit_DLLs registry value, that do not relate to the legitimate programs in your environment. You can also look for any process exhibiting abnormal behavior due to the loading of the malicious DLL.