← Back to Explore
sigmainformationalHunting
New Application in AppCompat
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
Detection Query
selection:
TargetObject|contains: \AppCompatFlags\Compatibility Assistant\Store\
condition: selection
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Created
2020-05-02
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.executionattack.t1204.002
Raw Content
title: New Application in AppCompat
id: 60936b49-fca0-4f32-993d-7415edcf9a5d
status: test
description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/1
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-08-17
tags:
- attack.execution
- attack.t1204.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
condition: selection
falsepositives:
- This rule is to explore new applications on an endpoint. False positives depends on the organization.
- Newly setup system.
- Legitimate installation of new application.
level: informational