New Application in AppCompat
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
Sigma rule (View on GitHub)
1title: New Application in AppCompat
2id: 60936b49-fca0-4f32-993d-7415edcf9a5d
3status: test
4description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
5references:
6 - https://github.com/OTRF/detection-hackathon-apt29/issues/1
7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md
8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
9date: 2020-05-02
10modified: 2023-08-17
11tags:
12 - attack.execution
13 - attack.t1204.002
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection:
19 TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
20 condition: selection
21falsepositives:
22 - This rule is to explore new applications on an endpoint. False positives depends on the organization.
23 - Newly setup system.
24 - Legitimate installation of new application.
25level: informational
References
-
Description The scenario begins with an initial breach, where a legitimate user clicks (T1204) an executable payload (screensaver executable) masquerading as a benign word document (T1036). Once ex...
Read More -
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook
Read More
Related rules
- Active Directory Kerberos DLL Loaded Via Office Application
- Active Directory Parsing DLL Loaded Via Office Application
- CLR DLL Loaded Via Office Applications
- DotNET Assembly DLL Loaded Via Office Application
- Download From Suspicious TLD - Blacklist