Potential Persistence Via Microsoft Compatibility Appraiser

Aug 12, 2024 · attack.persistence attack.t1053.005 ·

Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Microsoft Compatibility Appraiser
 2id: f548a603-c9f2-4c89-b511-b089f7e94549
 3related:
 4    - id: 73a883d0-0348-4be4-a8d8-51031c2564f8
 5      type: derived
 6status: test
 7description: |
 8    Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
 9    In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.    
10references:
11    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
12author: Sreeman
13date: 2020-09-29
14modified: 2023-02-10
15tags:
16    - attack.persistence
17    - attack.t1053.005
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_img:
23        - Image|endswith: '\schtasks.exe'
24        - OriginalFileName: 'schtasks.exe'
25    selection_cli:
26        CommandLine|contains|all:
27            - 'run '
28            - '\Application Experience\Microsoft Compatibility Appraiser'
29    condition: all of selection_*
30falsepositives:
31    - Unknown
32level: medium

References

Abusing Windows Telemetry for Persistence

Abusing Windows Telemetry for Persistence by Christopher Paschen: Learn how to exploit Windows telemetry for persistence, requiring local admin rights,…

Read More

Potential Persistence Via Microsoft Compatibility Appraiser

Sigma rule (View on GitHub)

References

Abusing Windows Telemetry for Persistence

Related rules