Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
Sigma rule (View on GitHub)
1title: Potential Persistence Via Microsoft Compatibility Appraiser
2id: f548a603-c9f2-4c89-b511-b089f7e94549
3related:
4 - id: 73a883d0-0348-4be4-a8d8-51031c2564f8
5 type: derived
6status: test
7description: |
8 Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
9 In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
10references:
11 - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
12author: Sreeman
13date: 2020/09/29
14modified: 2023/02/10
15tags:
16 - attack.persistence
17 - attack.t1053.005
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_img:
23 - Image|endswith: '\schtasks.exe'
24 - OriginalFileName: 'schtasks.exe'
25 selection_cli:
26 CommandLine|contains|all:
27 - 'run '
28 - '\Application Experience\Microsoft Compatibility Appraiser'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: medium
References
-
Today we're going to talk about a persistence method that takes advantage of some of the wonderful telemetry that Microsoft has included in Windows versions for the last decade. The process outline...
Read More
Related rules
- Scheduled Task Executed From A Suspicious Location
- Scheduled Task Executed Uncommon LOLBIN
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Uncommon One Time Only Scheduled Task At 00:00
- Diamond Sleet APT Scheduled Task Creation