Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the “RegisterApplicationRestart” API.
title: Potential Persistence Via AppCompat RegisterAppRestart Layer
id: b86852fb-4c77-48f9-8519-eb1b2c308b59
status: test
description: |
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
This can be potentially abused as a persistence mechanism.
references:
- https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
Details|contains: 'REGISTERAPPRESTART'
condition: selection
falsepositives:
- Legitimate applications making use of this feature for compatibility reasons
level: medium
imRegistry
| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers*" and RegistryValueData contains "REGISTERAPPRESTART"DeviceRegistryEvents
| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers*" and RegistryValueData contains "REGISTERAPPRESTART"| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |