legitimate applications making use of this feature for compatibility reasons

t1546
t1546.011
windows
sigma

Techniques

t1546
t1546.011

Sample rules

Potential Persistence Via AppCompat RegisterAppRestart Layer

source: sigma
technicques:
- t1546
- t1546.011

Description

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the “RegisterApplicationRestart” API. This can be potentially abused as a persistence mechanism.

Detection logic

condition: selection
selection:
  Details|contains: REGISTERAPPRESTART
  TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\