Potential Persistence Via AppCompat RegisterAppRestart Layer
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.
Sigma rule (View on GitHub)
1title: Potential Persistence Via AppCompat RegisterAppRestart Layer
2id: b86852fb-4c77-48f9-8519-eb1b2c308b59
3status: test
4description: |
5 Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
6 This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
7 This can be potentially abused as a persistence mechanism.
8references:
9 - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024-01-01
12tags:
13 - attack.persistence
14 - attack.t1546.011
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
21 Details|contains: 'REGISTERAPPRESTART'
22 condition: selection
23falsepositives:
24 - Legitimate applications making use of this feature for compatibility reasons
25level: medium
References
Related rules
- Suspicious Shim Database Patching Activity
- Potential Persistence Via Shim Database In Uncommon Location
- Potential Persistence Via Shim Database Modification
- Potential Shim Database Persistence via Sdbinst.EXE
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE