Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
Sigma rule (View on GitHub)
1title: Potential Persistence Via Microsoft Compatibility Appraiser
2id: f548a603-c9f2-4c89-b511-b089f7e94549
3related:
4 - id: 73a883d0-0348-4be4-a8d8-51031c2564f8
5 type: derived
6status: experimental
7description: |
8 Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
9 In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
10references:
11 - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
12author: Sreeman
13date: 2020/09/29
14modified: 2023/02/10
15tags:
16 - attack.persistence
17 - attack.t1053.005
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_img:
23 - Image|endswith: '\schtasks.exe'
24 - OriginalFileName: 'schtasks.exe'
25 selection_cli:
26 CommandLine|contains|all:
27 - 'run '
28 - '\Application Experience\Microsoft Compatibility Appraiser'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: medium