Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
Sigma rule (View on GitHub)
1title: Potential Persistence Via Microsoft Compatibility Appraiser
2id: f548a603-c9f2-4c89-b511-b089f7e94549
3related:
4 - id: 73a883d0-0348-4be4-a8d8-51031c2564f8
5 type: derived
6status: test
7description: |
8 Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
9 In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
10references:
11 - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
12author: Sreeman
13date: 2020/09/29
14modified: 2023/02/10
15tags:
16 - attack.persistence
17 - attack.t1053.005
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_img:
23 - Image|endswith: '\schtasks.exe'
24 - OriginalFileName: 'schtasks.exe'
25 selection_cli:
26 CommandLine|contains|all:
27 - 'run '
28 - '\Application Experience\Microsoft Compatibility Appraiser'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: medium
References
Related rules
- Scheduled Task Executed From A Suspicious Location
- Scheduled Task Executed Uncommon LOLBIN
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Uncommon One Time Only Scheduled Task At 00:00
- Diamond Sleet APT Scheduled Task Creation