Potential Persistence Via AppCompat RegisterAppRestart Layer

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via AppCompat RegisterAppRestart Layer
 2id: b86852fb-4c77-48f9-8519-eb1b2c308b59
 3status: experimental
 4description: |
 5    Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
 6    This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
 7    This can be potentially abused as a persistence mechanism.    
 8references:
 9    - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024-01-01
12tags:
13    - attack.persistence
14    - attack.t1546.011
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
21        Details|contains: 'REGISTERAPPRESTART'
22    condition: selection
23falsepositives:
24    - Legitimate applications making use of this feature for compatibility reasons
25level: medium

References

Related rules

to-top