`appinit`#

$ target-query <path/to/target> -f appinit

Details#
Module	`os.windows.generic.GenericPlugin`
Output	`records`

Module documentation

Generic Windows plugin.

Provides some plugins that don’t fit in a separate plugin.

Function documentation

Return all available Application Initial (AppInit) DLLs registry key values.

AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. It can be used as a persistence mechanism and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. DLLs that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows or HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindows NTCurrentVersionWindows are loaded by user32.dll into every process that loads user32.dll.

References:

https://attack.mitre.org/techniques/T1546/010/
https://docs.microsoft.com/en-us/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2?redirectedfrom=MSDN
https://docs.microsoft.com/en-US/windows/win32/dlls/secure-boot-and-appinit-dlls

appinit#

`appinit`#