From ef6b0358f9728d4b3ae32ea580d6c71fc7f52628 Mon Sep 17 00:00:00 2001
From: abhijose09 <bagchiabhijit09@gmail.com>
Date: Wed, 17 Jul 2024 08:25:36 +0530
Subject: [PATCH] Update T1112.yaml (#2862)

New Test : Abusing Windows TelemetryController Registry Key for Persistence

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index e3127098..c344a909 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -1277,3 +1277,25 @@ atomic_tests:
        reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /f
     name: command_prompt
     elevation_required: true
+- name: Abusing Windows TelemetryController Registry Key for Persistence
+  description: |
+    The Windows Compatibility Telemetry system makes use of the CompatTelRunner.exe binary to run a variety of telemetry tasks. It relies on the registry for instructions on which commands to run. 
+    It will run any arbitrary command without restriction of location or type. Blog :https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
+  supported_platforms:
+  - windows
+  input_arguments:
+    new_key:
+      description: New Registry Key Added
+      type: string
+      default: NewKey  
+    new_executable:
+      description: Custom Executable to run
+      type: string
+      default: C:\Windows\System32\notepad.exe  
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}" /t REG_SZ /v Command /d #{new_executable} /f
+    cleanup_command: |
+      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}" /f
+    name: command_prompt
+    elevation_required: true