← Back to Explore
sigmamediumHunting
Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
Detection Query
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
selection_cli:
CommandLine|contains|all:
- "run "
- \Application Experience\Microsoft Compatibility Appraiser
condition: all of selection_*
Author
Sreeman
Created
2020-09-29
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1053.005
Raw Content
title: Potential Persistence Via Microsoft Compatibility Appraiser
id: f548a603-c9f2-4c89-b511-b089f7e94549
related:
- id: 73a883d0-0348-4be4-a8d8-51031c2564f8
type: derived
status: test
description: |
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Sreeman
date: 2020-09-29
modified: 2023-02-10
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|all:
- 'run '
- '\Application Experience\Microsoft Compatibility Appraiser'
condition: all of selection_*
falsepositives:
- Unknown
level: medium