TelemetryController
Location:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | System |
| Persistence type | Registry |
| Code type | EXE |
| Launch type | Automatic1 |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
Description:
The Windows Compatibility Telemetry system makes use of the CompatTelRunner.exe binary to run a variety of telemetry tasks. It relies on the registry for instructions on which commands to run. The problem is that it will run any arbitrary command without restriction of location or type.
References:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
- https://www.scythe.io/library/windows-telemetry-persistence
Credits:
See also:
Remarks:
-
Active network connection required ↩