splApache-2.0from splunk/security_content
Windows Compatibility Telemetry Suspicious Child Process
The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml
| tstats `security_content_summariesonly` count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name = "CompatTelRunner.exe"
AND
Processes.process="* -cv:*" NOT Processes.process IN ("* -m:*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_compatibility_telemetry_suspicious_child_process_filter`