splApache-2.0from splunk/security_content

Windows Compatibility Telemetry Tampering Through Registry

This detection identifies suspicious modifications to the Windows Compatibility Telemetry registry settings, specifically within the "TelemetryController" registry key and "Command" registry value. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml

| tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count FROM datamodel=Endpoint.Registry
  WHERE (
        Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*"
        AND
        Registry.registry_value_name="Command" NOT Registry.registry_value_data IN ("(empty)")
    )
  BY Registry.action Registry.dest Registry.process_guid
     Registry.process_id Registry.registry_hive Registry.registry_path
     Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
     Registry.registry_value_type Registry.status Registry.user
     Registry.vendor_product
| `drop_dm_object_name(Registry)`
| eval process = registry_value_data
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_compatibility_telemetry_tampering_through_registry_filter`