Potential Persistence Via AppCompat RegisterAppRestart Layer
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.
Sigma rule (View on GitHub)
1title: Potential Persistence Via AppCompat RegisterAppRestart Layer
2id: b86852fb-4c77-48f9-8519-eb1b2c308b59
3status: experimental
4description: |
5 Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
6 This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
7 This can be potentially abused as a persistence mechanism.
8references:
9 - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024/01/01
12tags:
13 - attack.persistence
14 - attack.t1546.011
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
21 Details|contains: 'REGISTERAPPRESTART'
22 condition: selection
23falsepositives:
24 - Legitimate applications making use of this feature for compatibility reasons
25level: medium
References
Related rules
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- Potential Shim Database Persistence via Sdbinst.EXE
- Suspicious Shim Database Patching Activity
- Potential Persistence Via Shim Database In Uncommon Location
- Potential Persistence Via Shim Database Modification