From 69bde540c76ed977966747047df0efb5276b3ebd Mon Sep 17 00:00:00 2001
From: Alexey Lednyov <lednyov.av@gmail.com>
Date: Sat, 17 Oct 2020 00:45:39 +0300
Subject: [PATCH 1/3] Added a rule to detect the use windows telemetry
 mechanism for persistence

---
 .../sysmon_win_reg_telemetry_persistence.yml  | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml

diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
new file mode 100644
index 000000000..63c33251a
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
@@ -0,0 +1,29 @@
+title: Registry persistence mechanism via windows telemetry 
+id: 73a883d0-0348-4be4-a8d8-51031c2564f8
+description: Detects persistence method using windows telemetry 
+status: experimental
+date: 2020/10/16
+references:
+    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+author: Lednyov Alexey, oscd.community
+tags:
+    - attack.persistence
+logsource:
+    category: registry_event
+    product: windows
+    definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
+detection:
+    selection:
+        TargetObject|contains|all: 
+            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
+            - '\Command'
+        Details|contains: '.exe'
+        EventType: 'SetValue'
+    filter:
+        Details|contains: 
+            - '\system32\CompatTelRunner.exe'
+            - '\system32\DeviceCensus.exe'
+    condition: selection and not filter
+falsepositives:
+    - unknown
+level: critical

From 761bebfecef526dff8e1f9b6ea8254ec0bb79e9c Mon Sep 17 00:00:00 2001
From: Alexey Lednyov <lednyov.av@gmail.com>
Date: Sat, 17 Oct 2020 01:10:47 +0300
Subject: [PATCH 2/3] Fix title

---
 .../registry_event/sysmon_win_reg_telemetry_persistence.yml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
index 63c33251a..4a87d0fda 100644
--- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
+++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
@@ -1,4 +1,4 @@
-title: Registry persistence mechanism via windows telemetry 
+title: Registry Persistence Mechanism via Windows Telemetry 
 id: 73a883d0-0348-4be4-a8d8-51031c2564f8
 description: Detects persistence method using windows telemetry 
 status: experimental

From 1a0e2b3c8e005aca8a4ce48ca867846c1624901a Mon Sep 17 00:00:00 2001
From: Alexey Lednyov <lednyov.av@gmail.com>
Date: Sat, 17 Oct 2020 08:46:57 +0300
Subject: [PATCH 3/3] Add a technique tag

---
 .../registry_event/sysmon_win_reg_telemetry_persistence.yml      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
index 4a87d0fda..67963ff93 100644
--- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
+++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
@@ -8,6 +8,7 @@ references:
 author: Lednyov Alexey, oscd.community
 tags:
     - attack.persistence
+    - attack.t1053.005
 logsource:
     category: registry_event
     product: windows