Skip to content

Hide Navigation Hide TOC

Potential Persistence Via AppCompat RegisterAppRestart Layer (b86852fb-4c77-48f9-8519-eb1b2c308b59)

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.

Cluster A Galaxy A Cluster B Galaxy B Level
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83) Attack Pattern Potential Persistence Via AppCompat RegisterAppRestart Layer (b86852fb-4c77-48f9-8519-eb1b2c308b59) Sigma-Rules 1
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2