Potential Persistence Via AppCompat RegisterAppRestart Layer
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.
Sigma rule (View on GitHub)
1title: Potential Persistence Via AppCompat RegisterAppRestart Layer
2id: b86852fb-4c77-48f9-8519-eb1b2c308b59
3status: test
4description: |
5 Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
6 This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
7 This can be potentially abused as a persistence mechanism.
8references:
9 - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024-01-01
12tags:
13 - attack.privilege-escalation
14 - attack.persistence
15 - attack.t1546.011
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
22 Details|contains: 'REGISTERAPPRESTART'
23 condition: selection
24falsepositives:
25 - Legitimate applications making use of this feature for compatibility reasons
26level: medium
References
Related rules
- Potential Persistence Via Shim Database In Uncommon Location
- Potential Persistence Via Shim Database Modification
- Suspicious Shim Database Patching Activity
- Potential Shim Database Persistence via Sdbinst.EXE
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE