Detection rules › Sigma
Potential Registry Persistence Attempt Via Windows Telemetry
Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1053.005 Scheduled Task/Job: Scheduled Task |
| Persistence | T1053.005 Scheduled Task/Job: Scheduled Task |
| Privilege Escalation | T1053.005 Scheduled Task/Job: Scheduled Task |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: selection
or:
Details|contains: .bat
Details|contains: .bin
Details|contains: .cmd
Details|contains: .dat
Details|contains: .dll
Details|contains: .exe
Details|contains: .hta
Details|contains: .jar
Details|contains: .js
Details|contains: .msi
Details|contains: .ps
Details|contains: .sh
Details|contains: .vb
TargetObject|endswith: '\Command'
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
Stage 2: not 1 of filter_main_generic
or:
Details|contains: '\system32\CompatTelRunner.exe'
Details|contains: '\system32\DeviceCensus.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Details | match |
|
TargetObject | ends_with |
|
TargetObject | match |
|