Nterl0k - T1546 The curious case of CompatTelRunner and some sneaky persistence.

[nterl0k]

Details

2 detections aimed at the persistence and elevation abuse of CompatTelRunner.

https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence

Pending splunk/attack_data#961

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.
• Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

• If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
• Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
• Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.

[nterl0k]

Thanks for keeping me honest nas, i'll touch these up.

________________________________ From: Nasreddine Bencherchali ***@***.***> Sent: Wednesday, February 19, 2025 1:31 PM To: splunk/security_content ***@***.***> Cc: Steven Dick ***@***.***>; Author ***@***.***> Subject: Re: [splunk/security_content] Nterl0k - T1546 The curious case of CompatTelRunner and some sneaky persistence. (PR #3333) @nasbench requested changes on this pull request.

________________________________ In detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml<#3333 (comment)>:

@@ -0,0 +1,69 @@

+name: Windows Compatibility Telemetry Tampering Through Registry +id: 43834687-cc48-4878-a2fa-f76e4271791f +version: 1 +date: '2025-02-13' +author: Steven Dick +status: production +type: TTP +description: The process $process_name$ was launched in a suspicious manner by $parent_process_name$ on host $dest$ ----- The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system. The description needs updating

________________________________ In detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml<#3333 (comment)>:

+- Sysmon Event ID 12

+- Sysmon Event ID 13 +- Sysmon Event ID 14 Only EID 13 is important in this case, the others do no contain value data info ⬇️ Suggested change

-- Sysmon Event ID 12 -- Sysmon Event ID 13 -- Sysmon Event ID 14 +- Sysmon Event ID 13

________________________________ In detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml<#3333 (comment)>:

+tags:

+ analytic_story: + - Windows Persistence Techniques + asset_type: Endpoint + mitre_attack_id: + - T1546 + - T1053.005 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log The path is incorrect in the attack_data https://github.com/splunk/attack_data/pull/961/files Accidentally put inside adminsdholder_modified folder. Needs changing.

________________________________ In detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml<#3333 (comment)>:

+tags:

+ analytic_story: + - Windows Persistence Techniques + asset_type: Endpoint + mitre_attack_id: + - T1546 + - T1053.005 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log The path is incorrect in the attack_data https://github.com/splunk/attack_data/pull/961/files Accidentally put inside adminsdholder_modified folder. Needs changing. — Reply to this email directly, view it on GitHub<#3333 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7RQNYXN2BDZ7UGAIT32QTEZVAVCNFSM6AAAAABXDO55JSVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDMMRXGYZDENRVG4>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[nasbench]

LGTM