Potential Persistence Via Microsoft Compatibility Appraiser

Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.005 ·

Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Microsoft Compatibility Appraiser
 2id: f548a603-c9f2-4c89-b511-b089f7e94549
 3related:
 4    - id: 73a883d0-0348-4be4-a8d8-51031c2564f8
 5      type: derived
 6status: test
 7description: |
 8    Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
 9    In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.    
10references:
11    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
12author: Sreeman
13date: 2020-09-29
14modified: 2023-02-10
15tags:
16    - attack.privilege-escalation
17    - attack.execution
18    - attack.persistence
19    - attack.t1053.005
20logsource:
21    product: windows
22    category: process_creation
23detection:
24    selection_img:
25        - Image|endswith: '\schtasks.exe'
26        - OriginalFileName: 'schtasks.exe'
27    selection_cli:
28        CommandLine|contains|all:
29            - 'run '
30            - '\Application Experience\Microsoft Compatibility Appraiser'
31    condition: all of selection_*
32falsepositives:
33    - Unknown
34level: medium

References

Abusing Windows Telemetry for Persistence

When CompatTelRunner.exe runs (current version as of May 2020), it first checks that a few conditions pass before continuing its telemetry quest. After…

Read More

Potential Persistence Via Microsoft Compatibility Appraiser

Sigma rule (View on GitHub)

References

Abusing Windows Telemetry for Persistence

Related rules