Registry key modification to AppInit_DLLs value followed by anomalous DLL loading by processes importing user32.dll, especially unsigned or uncommon DLLs, suggesting unauthorized AppInit persistence or privilege escalation.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13, 14 |
| Field | Description |
|---|---|
| ImagePathWhitelist | Paths or filenames of known-good DLLs to exclude from alerting |
| UserContext | Context of the user modifying the registry key (e.g., admin vs standard user) |
| TimeWindow | Temporal threshold for correlating registry modification and DLL load |
| DLLSignatureStatus | Filter or flag unsigned or suspiciously signed DLLs |