Detectionhightest

Potential Registry Persistence Attempt Via Windows Telemetry

Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Lednyov Alexey, oscd.community, SreemanCreated Fri Oct 16Updated Thu Aug 1773a883d0-0348-4be4-a8d8-51031c2564f8windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Definition

Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives

Detection Logic

detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
        TargetObject|endswith: '\Command'
        Details|contains:
            - '.bat'
            - '.bin'
            - '.cmd'
            - '.dat'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.jar'
            - '.js'
            - '.msi'
            - '.ps'
            - '.sh'
            - '.vb'
    filter_main_generic:
        Details|contains:
            - '\system32\CompatTelRunner.exe'
            - '\system32\DeviceCensus.exe'
    condition: selection and not 1 of filter_main_*