{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-compatibility-appraiser/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Compatibility Appraiser","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["persistence","scheduled_task","telemetry","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects a persistence technique that abuses the Microsoft Compatibility Appraiser scheduled task (CompatTelRunner.exe) to execute arbitrary code with SYSTEM privileges. Attackers can hijack this task by modifying registry values associated with the TelemetryController, causing CompatTelRunner.exe to launch malicious executables. This allows for a persistent presence on the system, bypassing traditional security measures by leveraging a legitimate Windows component. The attack relies on manipulating the expected behavior of the telemetry service to execute attacker-controlled code with elevated privileges. Detection focuses on identifying child processes of CompatTelRunner.exe that are not standard Windows utilities, indicating a potential compromise. This technique is significant because it enables attackers to maintain persistence even after system reboots, and the use of a trusted process makes it harder to detect.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies registry keys under \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\u003c/code\u003e to point to a malicious executable or script.\u003c/li\u003e\n\u003cli\u003eThe Microsoft Compatibility Appraiser scheduled task (CompatTelRunner.exe) is triggered, either manually or through its regular schedule.\u003c/li\u003e\n\u003cli\u003eCompatTelRunner.exe, due to the modified registry values, launches the attacker-controlled executable with SYSTEM privileges using the \u003ccode\u003e-cv\u003c/code\u003e flag to pass control.\u003c/li\u003e\n\u003cli\u003eThe malicious executable executes, performing actions such as installing malware, establishing a reverse shell, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may further modify the system to ensure the malicious executable is launched persistently.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges gained to perform lateral movement or other malicious activities on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack allows the threat actor to establish persistent access to the compromised system with SYSTEM privileges. This can lead to a wide range of malicious activities, including data theft, installation of ransomware, or using the compromised system as a foothold for further attacks within the network. The high integrity level of the hijacked process grants the attacker significant control over the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture \u003ccode\u003eevent.type == \u0026quot;start\u0026quot;\u003c/code\u003e and \u003ccode\u003eprocess.parent.name : \u0026quot;CompatTelRunner.exe\u0026quot;\u003c/code\u003e to enable the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Persistence via TelemetryController Scheduled Task Hijack\u0026rdquo; to your SIEM and tune for your environment to detect unexpected child processes of CompatTelRunner.exe.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications to \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\u003c/code\u003e to detect unauthorized changes to telemetry settings.\u003c/li\u003e\n\u003cli\u003eInvestigate any processes launched by CompatTelRunner.exe with command-line arguments containing \u003ccode\u003e-cv\u003c/code\u003e that are not standard Windows utilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:41:07Z","date_published":"2026-05-12T18:41:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-telemetrycontroller-hijack/","summary":"The rule detects the hijack of the Microsoft Compatibility Appraiser scheduled task to establish persistence with system integrity level, by monitoring CompatTelRunner.exe process execution and detecting unexpected child processes.","title":"TelemetryController Scheduled Task Hijack for Persistence","url":"https://feed.craftedsignal.io/briefs/2026-05-telemetrycontroller-hijack/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Compatibility Appraiser","version":"https://jsonfeed.org/version/1.1"}