June’s Threat Thursday will focus on a unique persistence method that is not widely used by threat actors, but works all the way through at least Windows 11 21H2. In 2020 a few researchers from TrustedSec outlined a unique method of persistence that leverages Windows Telemetry. Collection of telemetry, or diagnostic data, is built into the operating system and used by Microsoft for a myriad of purposes. For example, Microsoft uses this data to identify security issues, improve reliability, analyze/fix software problems, and improve quality or design decisions for future releases.
To briefly summarize the persistence method discovered by TrustedSec, Windows comes with an executable C:\Windows\System32\CompatTelRunner.exe that is used to run a variety of telemetry related tasks. This binary was designed to be extensible and relies on the registry to provide instruction on what commands to run. All one needs to do to setup persistence is:
- Create a registry key of any name to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController
- Inside this key create a Reg_SZ value of “Command” and set it’s data value to the .exe file you would like to run
- Create DWORD keys for Maintenance, Nightly, and Oobe and set them each equal to 1 (the Nightly key alone is enough for the executable to run once every 24 hours)
After this, the specified .exe file will run periodically from a Windows scheduled task as SYSTEM.
This is an interesting method of persistence because it involves indirect execution. As the original authors pointed out, this should not be misinterpreted as a security concern or a vulnerability. Administrator-level privileges are required to modify the registry keys and if a threat actor has the ability to do so, they likely have many other options for exploitation. It is, nevertheless, a very easy method of privilege escalation from admin to system level.
We wondered if this method would still work on Windows 11. Turns out it does so we’ve built out an emulation in SCYTHE that demonstrates this. The campaign will download a benign executable (benign.exe), create the registry keys, and then manually trigger the scheduled task to run benign.exe. The benign.exe provided doesn’t take any observable action on the system, other than writing to the debug console. We use this at SCYTHE to provide opportunities for detection engineering based on successful process execution alone. This allows teams to focus on the parent/child relationship of processes for detection, rather than incorrectly anchoring on the actions performed by the child process (such as writing a registry value or a file).
Take note that the last command is simply just to manually trigger the scheduled task rather than wait for it to occur. Included in the campaign after a 5 minute delay are “clean up” steps that will remove the benign.exe file and all registry keys that were created.This emulation will need to be “run as administrator” in order to succeed.
Fig.1 Screenshot of sysmon log showing execution of benign.exe with a parent process of C:\Windows\System32\CompatTelRunner.exe
The first detection opportunity exists around the downloading of a file from GitHub.
It’s uncommon for non Information Technology users to download files from GitHub, and it is recommended to block them from doing so. Implementation is highly dependent on the organization, and it is recommended that you adapt this recommendation to your environment accordingly. Where possible it is recommended to block any requests to GitHub for general users outside of Information Technology.
Another area for prevention and detection is to block or alert on PowerShell from connecting to external domains and IP addresses. This type of rule will likely need baselining for certain destinations, source machines, or source users.
Key Value Set
The next key detection opportunity is for the key value set with the “command” parameter and persistence file that the following scheduled task steps are predicated on. To detect this value set there are a few Sigma rules we recommend below. Note that each will have to be tailored to the environment they are being deployed in. Additionally advanced organizations may look to baseline or hunt on and registry adds to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\.
- Note that for this rule we recommend removing the ‘details containing .exe’ logic to search for any type of potentially malicious file.
The final detection opportunity we are presented with is a command line containing schtasks and ‘\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser’. This is applicable if the actor manually tests the scheduled task.
It’s worth noting that further hunts or rules may be conducted for activity should the task be successfully scheduled. To do so, investigate abnormal child processes spawning from CompatTelRunner.exe. For our logic we used the following search in Splunk™, and as shown could easily baseline this as a rule in our environment.
ParentImage:"C:\\Windows\\System32\\CompatTelRunner.exe" AND Image=* | rare limit=20 ParentImage,Image
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
About the Authors:
Kristen Cotten is a Cyber Threat Intelligence Analyst at SCYTHE. Prior to joining the herd she worked for the United States Department of the Army in various roles ranging from network and system administration to vulnerability management and cyber compliance. She has a penchant for solving technical puzzles, leaping from perfectly good airplanes (or cliffs), and finding the best local hole-in-the-wall restaurants. If you want to talk about foreign travel, sports nutrition, or why Episodes 4-6 are the only Star Wars movies that matter, she's your girl!
Christopher Peacock is an Adversary Emulation - Detection Engineer at SCYTHE, specializing in Purple Team Exercises and Detection Engineering. His previous experience includes multiple roles such as Cyber Threat Intelligence Analyst, Cyber Threat Hunter, Tier 3 SOC Analyst, Incident Responder, Cyber Security Consultant, and Purple Team Lead. He previously worked at Raytheon Intelligence & Space and General Dynamics Ordnance & Tactical Systems. Additionally, he has experience in multiple industries, including Energy, Finance, Healthcare, Technology, and Defense. Current certifications include GCTI, GCFA, GCED, eJPT, and CSIS.
Jake Williams, a cybersecurity expert has two decades of experience in secure network design, penetration testing, incident response, forensics and malware reverse engineering. He has worked with many government agencies in information security at federal, state, and local levels. Williams is an IANS Faculty Member and also works as a SANS Analyst. He is a prolific speaker on topics in information security and has trained thousands of people on incident response, red team operations, reverse engineering, cyber threat intelligence, and other information security topics. Jake is the two time winner of the DC3 Digital Forensics Challenge, a recipient of the DoD Exceptional Civilian Service Award, and is one of only a handful of people to ever be certified as Master Network Exploitation Operator by the US Government.
Abusing Windows Telemetry for Persistence - TrustedSec
Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Docs