sigmaDRL-1.1from SigmaHQ/sigma
New Application in AppCompat
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/registry/registry_set/registry_set_new_application_appcompat.yml
title: New Application in AppCompat
id: 60936b49-fca0-4f32-993d-7415edcf9a5d
status: test
description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/1
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-08-17
tags:
- attack.execution
- attack.t1204.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
condition: selection
falsepositives:
- This rule is to explore new applications on an endpoint. False positives depends on the organization.
- Newly setup system.
- Legitimate installation of new application.
level: informational